AnalysisofSSLCerticateReissuesandRevocationsintheWakeofHeartbleedLian - PDF document

AnalysisofSSLCerticateReissuesandRevocationsintheWakeofHeartbleedLiangZhangDavidChoffnesDaveLevinTudorDumitra¸sNortheasternUniversityNortheasternUniversityUniversityofMarylandUniversityofMarylandliang@ccs.neu.educhoffnes@ccs.neu.edudml@cs.umd.edutdumitra@umiacs.umd.eduAlanMisloveAaronSchulmanChristoWilsonNortheasternUniversityStanfordUniversityNortheasternUniversityamislove@ccs.neu.eduaschulm@stanford.educbw@ccs.neu.edu 1TLSisthesuccessorofSSL,butbothusethesameX.509certicates.Throughoutthepaper,wereferto\SSLclients"and\SSLcerticates,"butourndingsapplyequallytoserversusingbothprotocols. serversthatweresusceptibletoHeartbleedshouldhaveop-eratedundertheassumptionthananattackerhadalreadyobtainedtheirprivatekeys,andthereforeshouldhavere-vokedtheircerticatesandreissuednewones[5],ideallyassoonasthevulnerabilitywaspubliclyannounced.Thescopeofthisvulnerability|itisestimatedthatupto17%ofallHTTPSwebserverswerevulnerable[22]|makesitanidealcasestudyforevaluatinglarge-scalepropertiesofSSLsecurityinthefaceofprivatekeycompromise.Whilepreviousstudieshavemeasuredhowquicklyandthoroughlyadministratorspatchsoftwarevulnerabilities[25,27,35],weare,tothebestofourknowledge,thersttostudyadmin-istrationofcerticatesinthewakeofavulnerability.Inparticular,thispaperfocusesoncerticaterevocationandreissuesinresponsetothepublicannouncementofHeart-bleed,bothintermsofhowquicklycerticatesarereissuedandwhetherornotthecerticatesareeventuallyrevoked.Towardthisgoal,wemakethefollowingkeycontributions.First,weconductalarge-scalemeasurementstudyofSSLcerticatesinthewildusingbothdatacollectedfrompublicarchivesandthroughcustommeasurementsconductedaf-terHeartbleedwaspublicized.WefocusontheAlexaTop1Million(Top-1M)domains,forwhichwendatotalof628,692validSSLcerticatesfrom166,124uniquedomains.Second,weconductmeasurementstodeterminewhichserversremainvulnerabletoHeartbleedandwhichoneswerepreviouslyvulnerablebutarenowpatched.Wede-velopanewSSLimplementationngerprintingtechniquethatisabletodetermineifahostisrunningaversionofOpenSSLthatwasvulnerableinthepast.Wecross-validatewithdirectmeasurementsofthevulnerability(wendourtechniquehasafalsepositiverateofonly1.9%)andcon-ductscanstocomposealistofpreviouslyvulnerablehosts.WendthatthemostpopularwebsitesweremorelikelytohaveatleastonehostvulnerabletoHeartbleed,likelybecausetheyoftenhavemorehosts.Third,wedevelopnovelheuristicstoidentifywhichcer-ticateshavebeenreissuedindirectresponsetoHeartbleed,asopposedtootherreasonssuchascerticateexpirationorperiodicreissues.Thisallowsustounderstandhowad-ministratorsdo(ordonot)reacttopotentialprivatekeycompromise.WeobservethatwhilevulnerablesiteswithahigherAlexarankweremorelikelytoreissuetheircer-ticates,thevastmajority(73.3%)ofvulnerablecerticateshadnotbeenreissuedfullythreeweeksafterthevulnerabil-itywasannounced.Thesevulnerablecerticatescomefrommorethan55,000uniquedomains.Fourth,weanalyzecerticaterevocationbehaviorovertimeandacrosscerticateowners.Wendasharp(upto40-fold)increaseinrevocationsperdayaftertheHeart-bleedannouncement,butforthemajority(60%)ofreissuedcerticates,theprevious(vulnerable)certicatewasnotre-voked.ForthosethatarerevokedduetoHeartbleed,wendmorerevocationsincerticaterevocationlists(CRLs)tohaveexplanations(reasoncodes)thanrevocationsun-relatedtoHeartbleed,andtheyappearintheCRLsmorequicklythanrevocationsnotduetoHeartbleed.Further,weexaminetheupdatefrequencyofCRLstodetermineifCerticateAuthorities(CAs),theentitiesthatissuecerti-cates,serveasa\bottleneck"forrevocations(asitistheCAwhomaintainstheCRL).WendthatCRLsappeartobeupdatedfrequently,withover95%ofthembeingupdatedwithintheprevious24-hourperiod.Theremainderofthispaperisorganizedasfollows.Inthenextsection,weprovidebackgroundaboutSSL/TLS,PKIs,andtheHeartbleedvulnerability.Inx3wedescribeourdatasetandmethodologyforextractingvalidcerti-catesanddeterminingHeartbleedvulnerabilityatservers.x4presentstheresultsofouranalysis,whereweidentifythebehaviorofcerticatereissuingandrevocationonalargedatasetofAlexa'sTop-1Mwebsites.Wesummarizerelatedworkinx5andconcludeinx6.2.BACKGROUNDSecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)oerapplication-layercondentialityandintegrity,andarethebasisofthevastmajorityofsecureonlinecom-munication.Throughtheuseofapublickeyinfrastructure(PKI),theseprotocolsalsoallowclientstoauthenticatetheserverswithwhomtheycommunicate.Inthissection,weprovideabriefbackgroundofSSL/TLSandPKIsrelevanttoourstudy,anddescribetherecentHeartbleedvulnerability.2.1CerticatesAcerticateis,atitscore,asignedattestationbindingasubjecttoapublickey.CerticatesaresignedbyaCer-ticateAuthority(CA),whointurnhasitsowncerticate,andsoon,terminatingatself-signedrootcerticates.Thereisalogicalchainofcerticates|leadingfromarootcerti-catethroughzeroormoreintermediatecerticates,toaleafcerticate|whereinthecerticateatleveliissignedwiththeprivatekeycorrespondingtothecerticateatleveli�1,withtheexceptionoftheself-signedcerticateattheroot.Inpractice,thetopologyofcerticatescanbesomewhatcomplex,withCAssigningoneanother'scerticates[17],butsuchdetailsarenotpertinenttothestudyperformedinthispaper.Whenaclientvisitsasitethatsupports,say,HTTPS,thatsitesendsitscerticatechaintotheclient,whoveriesthesignaturesfromleaftoroot.Iftheclientcansuccess-fullyvalidateeachsignature,andiftheclienttruststherootcerticate|forinstancebycheckingitagainstasetofcerti-catespre-installedinthebrowseroroperatingsystem|thentheclientinfersthatthesubjectintheleafcerticatetrulyistheownerofthepublickey.ThepredominantformatofcerticatesisX.509[6],whichincludesconsiderablymoreinformationthanjustsubjectandpublickey,includingaunique(forthatCA)serialnum-ber,anexpirationdate,thekey'sciphersuite,acceptableusesofthekey,andinformationonhowtocheckwhetherthecerticatehasbeenrevoked.2.2CerticateRevocationInadditiontoissuingcerticates,CAsarealsoresponsi-bleformakingavailablealistofcerticatesithasissuedthathavebeenrevoked,afterwhichclientsshouldnolongerconsiderthosecerticatesvalid.Notethat,ifaCA's(in-termediateorroot)certicateisrevoked,allleafcerticatessignedbythatCAwillfailtovalidate.Therearemanyreasonsasitecandecidetorevokeacer-ticate.Onecriticallyimportantexampleisthatofacom-promisedcerticate.Acerticateiscompromisedifsomeoneotherthanitsoriginalownerlearnsthecorrespondingpri-vatekey,allowingthatpersontogeneratesignaturesandthusimpersonatetheowner.InthecaseofaCAcerticate,releaseoftheprivatekeymayallowanattackertogenerate newcerticatesforarbitrarysubjects.Insuchanevent,itisimportantthattheownerrevokesthecompromisedcer-ticateasquicklyaspossibletomitigatethesetofusersaectedbythecompromise.CerticateRevocationLists(CRLs)arebyfarthemostcommonmeansofdisseminatingrevocations.CRLsconsistofalistof(serialnumber,timestampofrevocation,reasonforrevocation)triples,allofwhicharecollectivelysignedbytheCA.CAsincludeinthecerticatesthattheyissueaURLpointingtotheCRLthatwouldcontainthatcerti-cate'sserialnumber,ifitweretobecomerevoked.ClientsperiodicallydownloadandcacheCRLs,andusethemwhenvalidatingacerticatechain.Ostensiblytoreducethecom-municationoverheadforCAsandforusers,clientstypi-callydownloadCRLsinfrequently(ontheorderofhoursordays),potentiallyleavingmanyuserswithoutdatedin-formationonthevalidityoftheircerticates.Thishasspurredseveralstudiesintomoreecientmeansofrevo-cation[12,21,23,29,36],andgeneraldoubtastotheover-allecacyofrevocations[28].Yet,CRLsremainthedefactomeansofdisseminatingrevocationinformation,andthustheyfactorheavilyinourstudy.2.3CerticateReissuesWhenasiteceasestouseacerticate|forinstancebe-causetheyfoundthatthecerticatehasbeencompromised,orbecausethecerticateexpired|theymustuseanewcer-ticateinstead.Thisprocessisreferredtoasreissuingthecerticate.Todoso,thesystemadministratormustcon-tacttheCAwhosignedtheircerticateandrequestanewsignature;thisistypicallydonebysendingtheCAaCerti-cateSigningRequest(CSR).Inthecasewheretheprivatekeymayhavebeencompromised,theadministratorshouldalsochooseanewpublic/privatekeypairtobesigned(asreissuingthecerticatewiththesamekeydoesnothingtomitigatetheleakedprivatekey).Whileitseemsnaturaltoassumethatcerticatesarereis-suedatpreciselythemomenttheoldcerticateisrevoked,infacttoday'sPKIprotocolsmakenosuchrequirement.Asourstudywilldemonstrate,reissuescanhappenbefore,dur-ing,orafterarevocation|orevenwithoutrevokingtheoldcerticateatall.Tothebestofourknowledge,wearethersttocorrelaterevocationswithreissues.2.4HeartbleedHeartbleedisabuerover-readvulnerabilitydiscoveredinOpenSSL[24]thatwaspresentinversions1.0.1(releasedMarch14,2012)through1.0.1f.ThevulnerabilitystemsfromabuginOpenSSL'simplementationoftheTLSHeart-beatExtension[30].TheintendedfunctionalityofTLSHeartbeatistoallowaclienttotestasecurecommuni-cationchannelbysendinga\heartbeat"messageconsistingofastringandthe16-bitpayload_lengthofthisstring.Unfortunately,vulnerableOpenSSLversionsfailtocheckthatthepayload_lengthsuppliedbytheclientmatchesthelengthoftheprovidedstring.Thisallowsamaliciousclienttocraftaheartbeatmessagecontaininga1-bytestringand216�1asthepayload_length.Inthiscase,OpenSSLwillallocatea64KBblockofheapmemory,memcpy()64KBofdataintoit,startingwiththe1-bytestring,andnallysendthecontentsoftheentirebuertotheclient.Ineect,thisallowsthemaliciousclienttoreadupto216�2bytesoftheserver'sheapmemory.Notethatwhilethemaliciousclientcanchoosetheamountofmemorytoread,ithasnocontroloverthelocationofthememorythatiscopied,andthereforecannotchoosewhichmemorytoread.ByrepeatedlyexploitingHeartbleed,anattackercanextractsensitivedatafromtheserver(e.g.,SSLprivatekeys[32],userdata[13],etc.).TheseverityofHeartbleedisexacerbatedbythefactthatOpenSSLdoesnotlogheart-beatmessages,givingattackersfreereigntoundetectablyexploitHeartbleed.Giventheseverityandundetectablena-tureofmalicioususersexploitingHeartbleed,siteoperatorswereurgedtoimmediatelyupdatetheirOpenSSLsoftwareandrevokeandreissuetheircerticates[5].Timeline.HeartbleedwasrstdiscoveredbyNeelMehtafromGoogleonMarch21,2014.GoogleimmediatelywroteapatchandappliedittotheirownOpenSSLdeployments.OnApril2,researchersatFinnishsecuritycompanyCode-nomiconindependentlydiscoveredthebuganddubbeditHeartbleed.OnApril4,Akamaipatchedtheirservers.OnApril7,thebugbecamepublicandtheOpenSSLprojectre-leasedapatchedversion(1.0.1g)oftheOpenSSLlibrary[15].WhystudyHeartbleed?Thesignicanceofthistime-line,andofHeartbleedingeneral,isthatitrepresentsapointintimeafterwhichallvulnerableserversshouldhavetakenthreecriticalstepstoensurethesecurityoftheirser-viceandtheirusers:theyshouldhavepatchedtheircode,revokedtheiroldcerticate,andreissuedanewone.Asaresult,Heartbleedactsasasortofnaturalexperiment,al-lowingustomeasurehowcompletelyandquicklyadminis-tratorstookstepstosecuretheirkeys.Whilesucheventsare(sadly)notterriblyuncommonforgeneralsecurityvulnera-bilities[25,27,35],itremainsrarethatsuchalargefractionofthecerticateecosystemmustreissueandrevoketheirSSLcerticates.3.DATAANDMETHODOLOGYWenowdescribethedatasetsthatwecollectedandourmethodologyfordeterminingahost'sSSLcerticate,whenitwasinuse,ifandwhenthecerticatewasrevoked,andifthehostwas(orisstill)vulnerabletotheHeartbleedbug.3.1CerticateDataSourceWeobtainourcollectionofSSLcerticatesfrom(roughly)weeklyscansoftheentireIPv4addressspacemadeavailablebyRapid7[26].Inthispaper,weusescanscollectedbetweenOctober30,2013andApril28,2014.Thereareatotalof28scansduringthisperiod,givinganaverageof6.7days(withaminimumof3daysandmaximumof9days)betweensuccessivescans.Thescandataincludesallcerticatesadvertisedbyeachhost(includingintermediateandrootcerticates)inthescansupthroughFebruary5,2014,andincludesonlytherstadvertisedcerticatebyeachhostinthelaterscans.Forexample,supposethatahostisadvertisingachainofthreecerticates:acerticateforexample.com,acerticateforGeoTrust,andself-signedrootcerticate,whereeachcerticatesignstheprevious.Theearlierscanswouldin-cludeallthreecerticates,whereasthelaterscanswouldincludeonlythecerticateforexample.com.Thelackoffullcerticatechainsinthelaterscanspresentschallengesforvalidation,whichweaddressinx3.2. Figure1:Work owfromrawscansoftheIPv4addressspacetovalidcerticates(andcorrespondingCRLs)fromtheAlexaTop-1Mdomains.TheRapid7dataafterFebruary5,2014didnotincludetheintermediate(CA)certicates,necessitatingadditionalstepsanddatatoperformvalidation.Thescansfoundanaverageof26.9millionhostsrespond-ingtoSSLhandshakesonport443(anaverageof9.12%oftheentireIPv4addressspace).Acrossallofthescans,weobservedatotalof19,438,865uniquecerticates(in-cludingallleafandCAcerticates).Inthesectionsbelow,wedescribehowwelteredandvalidatedthisdataset;anoverviewoftheprocessisprovidedinFigure1.3.2FilteringDataTofocusonwebdestinationsthatarecommonlyaccessedbyusers,weusetheAlexaTop-1Mdomains[2]asobservedonApril28,2014.Werstextractallleaf(non-CA)cer-ticatesthatadvertiseaCommonName(CN)thatisinoneofthedomainsintheAlexalist(e.g.,wewouldincludecerticatesforfacebook.com,www.facebook.com,aswellas*.dev.facebook.com).Thissetrepresents1,573,332certi-cates(8.1%ofallcerticates).Inordertoremoveinvalidandself-signedcerticatesfromthislist,wethenextractalladvertisedchainsforthesecerticates(whichareonlypresentinthescansthroughFebruary5,2014).Reconstructingchains.Thelackoffullcerticatechainsforthepost-February5,2014scans(seex3.1)presentsachallengeatthispoint,asweneedthefullcerticatechainsinordertoproperlyvalidatetheleafcerticates.Toverifynewcerticatesobservedintheselaterscans,weconstructalistofall4,509intermediate(CA),non-self-signedcerti-catesobservedinpreviousscans.2Fromthesecerticates,weusetwotypesofX.509eldstohelpwithchainrecon-struction[6]:TheSubjectKeyIdentierandAuthorityKeyIden-tieraretwoeldsincludedinmostcerticates,anduniquelyidentifythepublickeythecerticaterepre-sents(SubjectKeyIdentier)andthepublickeythatsignedthiscerticate(AuthorityKeyIdentier).Thevalueistypicallyimplementedasahashofthepublickey.TheSubjectNameandIssuerNamearetexteldsthatrepresentthenameoftheentitythiscerticaterep- 2Wealsoconductourowncrawl(seex3.4)ofhostsadvertis-ingcerticatesintheAlexalist,andincludedall4,445ad-ditionalnon-self-signedCAcerticatesthatwediscoveredinthislistaswell.However,wefoundthatnoneoftheadditionalCAcerticateswerenecessaryforvalidation.resents(SubjectName)andthenameofentitythatsignedthiscerticate(IssuerName).Weconstructadatabaseofallfouroftheseeldsacrossall8,954CAcerticates.Usingthisdatabase,weattempttoreconstructaleafcer-ticate'schainbasedrstonthecerticate'sAuthorityKeyIDand,failingthat,thecerticate'sIssuerName.Inotherwords,givenaleafcerticate,welookforaCAcerticatewhoseSubjectKeyIdentieristhesameasourleaf'sAu-thorityKeyIdentier.Shouldwenotndone(orshouldtheSubjectKeyIdentiernotbepresent),weinsteadlookforaCAcerticatewhoseSubjectNameisthesameasourleaf'sIssuerName.Wethenrecursivelyapplythistechniqueuntilwecannotndaparentkey,wehitatrustedrootcerticate,orwehitaself-signedCAcerticate.Shouldwendmul-tipleCAkeysthatmatchatanystage,weincludethemallaspotentialchains.Verifyingchains.Wethenunifyoursetofpotentialchains,consistingofbothhost-advertisedchains(forthedatacollectedthroughFebruary5,2014)andreconstructed-chains(forthedatacollectedpost-February5,2014).Un-fortunately,despitetheleafcerticatehavingaCommonNameintheAlexalist,manyofourchainsmaynotbevalid(e.g.,expiredcerticates,forgedself-signedcerticates,certicatessignedbyaninvalidroot,etc.).Onecommonsourceofinvalidcerticatesishomerouters/DSLmodemsprovidedbyISPs(e.g.,FRITZ!Boxes)orcloud-accessiblestoragedevices(e.g.,WesternDigital'sMyCloud),bothofwhichadvertiseself-signedSSLcerticatesinthefritz.netandwd2go.comdomains.Weremovedtheseinvalidchainsbyrunningopensslver-ifyoneachcerticate(anditscorrespondingchain),andonlykeptthecerticatesthatOpenSSLcouldverify.Be-causethescansoccurredatdierentpointsoftime,weusedthefaketimelibrary[14]tohaveOpenSSLvalidatethecerticateasofthetimeofthescan.WealsocongureOpenSSLtotrustthesetofrootCAcerticatesincludedbydefaultintheOSX10.9.2rootstore[20];thisincludes222uniquerootcerticates.Aftervalidation,weareleftwith628,692leafcerticates(40.0%ofallcerticatesadvertisingAlexadomainsand3.2%ofallcerticates)fromAlexaTop-1MdomainsthatwereadvertisedbysomeIPaddressandcouldbevalidated;werefertothissetofcerticatesastheLeafSet.Eachofthese 2014-02-059,640,973 leaf certificates4,313,480 CA certificates3,240,205 leaf certificatesRapid7Input DataTop-1M domains1,212,837 leaf certificates360,495 leaf certificates FilteringValid chains477,557 leaf certificates 151,135 leaf certificates CA certificates 628,692 leaf certificatesCA certificatesFinal certificates 2014-02-102014-04-28 45,268 revoked leaf certificates 7 revoked CA certificates 1,386 unique Revoked certs as of2014-05-06 Figure2:Fractionofnewcerticatesthatwecouldver-ifyforprovided(February5,2014andbefore)andrecon-structed(postFebruary5,2014)chains.certicateshasavalidchain;werefertothecollectionofallCAcerticatesonthesechains(notincludingtheleafcerticates)astheCASet;theCASetcontains910uniquecerticates.TheLeafSetcerticatescover166,124(16.6%)oftheAlexaTop-1Mdomains.Thisisthesetofcerticates(andcerticatechains)thatweuseintheremainderofthepaper.Validationofreconstruction.Finally,webrie yvalidateourcerticatechainreconstructionmechanismonthepost-February5,2014certicates.InFigure2,wepresentthefractionofnewcerticatesdiscoveredovertimeforwhichwewereabletondavalidchain,bothforthepre-andpost-February5,2014data.Wemaketwointerestingobserva-tions:First,thefractionofcerticatesthatwecouldvalidateisrelativelystableat2%bothbeforeandaftertheswitchtousingreconstructedchains,suggestingthatourmechanismforchainreconstructiondoesnotmissmanychains.Sec-ond,weseealargeuptickinthefractionofnewly-appearingcerticatesthatwecouldvalidateafterHeartbleed;aswediscussinthefollowingsection,thisisduetomanycerti-catesbeingreissuedinthewakeofHeartbleed.3.3CollectingCRLsTodetermineifandwhencerticateswererevoked,weextractedtheCRLURLsoutofallLeafSetcerticates.WeignoredinvalidURLs,includingldap://protocolsandnon-routableaddresses.Wefound626,659(99.7%)ofthesecer-ticatestoincludeatleastonewell-formed,reachableCRLURL;forcerticatesthatincludedmultipleCRLURLs,weincludedthemall.Wefoundatotalof1,386uniqueCRLURLs(mostcerticatesuseauniedCRLprovidedbythesigningCA,sothesmallnumberofCRLsisnotsurprising).WedownloadedalloftheseCRLsonMay6,2014,andfound45,268(7.2%)oftheLeafSetcerticatestoberevoked.WealsocollectedtheCRLURLsforallcerticatesintheCAset.Wefoundthat884(97.1%)ofthecerticatesintheCASetincludedareachableCRL;theunionoftheseURLscomprised246uniquereachableURLs.Wedown-loadedtheseCRLsonMay6,2014,aswell.WefoundatotalofsevenCAcerticatesthatwererevoked,whichnul-liedthevalidityof60certicatesintheLeafSet(0:01%).3.4InferringHeartbleedVulnerabilityFinally,wewishtodetermineifasitewasevervulnerabletotheHeartbleedOpenSSLvulnerability(andifitcontinuedtobevulnerableattheendofthestudy).Doingsoallowsustoreasonaboutwhetherthesiteoperatorsshouldhave Figure3:FlowchartofinferenceofpreviousHeartbleedvulnerabilityofhostsbasedonourSSLscan.reissuedtheirSSLcerticate(s)andrevokedtheiroldone(s).DeterminingifahostiscurrentlyvulnerabletoHeartbleedisrelativelyeasy,asonecansimplysendimproperly-formattedSSLheartbeatmessagestotestforvulnerability.However,determiningifasitewasvulnerableatsomepointinthepast|buthassinceupdatedtheirOpenSSLcode|ismorechallenging.WeobservethatonlythreeofthecommonTLSimplementationshaveeversupportedSSLHeartbeats[30]:OpenSSL[24],GnuTLS[33],andBotan[4].Thus,ifahostsupportstheSSLHeartbeatextension,weknowthatitisrunningoneofthesethreeimplementations.Botanisalibrarythatistargetedforclient-sideTLS,andweknowofnopopularwebserverthatisabletousetheBotanTLSlibrary.GnuTLShassupportfortheSSLHeartbeatextension,butitisnotenabledbydefault.3TodetermineifthehostisusingGnuTLS,weobservedthatGnuTLSsup-portstheMaxFragmentLengthSSLextension[1],whichisenabledbydefault,whileOpenSSLhasneversupportedthisextension.Thus,ifweobserveahostthatsupportstheSSLHeartbeatextensionbutnottheMaxFragmentLengthex-tension,wedeclarethathosttohavebeenrunningaversionofOpenSSLthatwasvulnerable(seeFigure3foragraphicalrepresentation).TocollectthelistofsitesthatwereevervulnerabletoHeartbleed,werstextractedthesetofIPaddressesintheApril28,2014Rapid7scanthatwereadvertisingacerti-catewithaCommonNameintheAlexaTop-1Mlist.Wefound5,951,763uniqueIPaddressesinthisset.WethenconnectedtotheseIPaddresses,performedtheTLSnego-tiation,determinedtheSSLextensionsthatthehostsup-ported,anddeterminedwhetherthehostwasstillvulner-abletotheHeartbleedvulnerability.WealsodownloadedthesetofCAcerticatesthatthehostadvertised,whichweusedtoaidcerticatevalidation(seex3.2).Limitations.Ourmethodologyforinferringahost'svul-nerabilitytoHeartbleedhasthefollowinglimitations.Be-causewedidourscanthreeweeksafterHeartbleedwasan-nounced,wemayhavebothfalsepositivesandfalseneg-ativesindetectingwhetherahostwasevervulnerabletoHeartbleed.Forfalsepositives,hoststhatwereupgradeddirectlyfromOpenSSL0.9.8toOpenSSL1.0.1g(i.e.,by-passingtheHeartbleedbug)wouldbeincorrectly aggedasbeingvulnerableinthepast.Wesuspectthisfractionissmall,asthiswouldhavehadtohavehappenedbetweenApril7th(thereleaseofOpenSSL1.0.1g)andApril28th(ourscan),butweareunabletoestimatethefractionofhoststhiscovers.Forfalsenegatives,administratorswhorespondedtoHeartbleedbyeitherrecompilingOpenSSLwith 3Infact,inourscan,wedidnotdiscoveranyhoststhatwererunningGnuTLSwithSSLHeartbeatsenabled. 0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Fraction of NewCertificates ValidatedDateSwitch toreconstructedchainsHeartbleed Connect to sitevia SSL SupportsHeartbeats? SupportsMax Fragment Length? YesYesNever vulnerableNever vulnerable(likely GnuTLS)Was vulnerable Figure4:Exampleoflifetime,forcerticatesform.scotrail.co.uk.AllhostsexceptoneswitchtoanewcerticateafterFebruary10,2014.-DOPENSSL_NO_HEARTBEATSorwhodowngradedtheirOpenSSLimplementationtoversion0.9.8wouldhavetheirhostsincorrectly aggedasneverhavingbeenvul-nerable.Wearesimilarlyunabletodeterminethefractionofhostsinourdatasetthatthisappliesto;wesuspectitissmallaswell,asmanyoperatingsystemsvendors(e.g.,Ubuntu)pushedoutaHeartbleedsecurityupdatethatisusuallyautomaticallyapplied.Vericationofvulnerabilitydetection.WeperformedabriefexperimenttoestimatethefalsenegativerateofourHeartbleedvulnerabilitydetectionmechanism.WeuseavulnerabilityscanoftheAlexaTop-1MdomainsconductedbytheauthorsofZMap[37]onApril9,2014,whichcon-tainsalistofhoststheyconrmedtobevulnerabletoHeart-bleed.InourscanonApril28,2014(19daysaftertheZMapscan),wefoundthat8,651ofthesehostswerestilladver-tisingacerticatewiththesameCommonName.Ofthese,1,737(20.1%)werestillvulnerable;theremainderwerelikelypatchedinthemeantime.Usingourngerprintingmethod-ologyabove,wewouldhaveinferredthat8,483(98.1%)ofthehostswererunningaversionofOpenSSLthatwasvul-nerableatsomepoint(despitethefactthatthemajorityofthesewereactuallynolongervulnerable).Thishighrateofrecall,coupledwiththeunlikelihoodoffalsenegatives,leadsustoconcludethatourmethodologyforinferringpreviousvulnerabilityishighlyaccurate.4.ANALYSISWenowturntoexaminethecollectedSSLcerticatedata.Werstpresentafewdenitionsweuseintheanalysisbe-foreproceeding.4.1DenitionsWeareconcernedwiththeevolutionofSSLcerticates(i.e.,whenarenewcerticatescreated,oldonesretired,etc.).Toaidinunderstandingthisevolution,wedenethefollowingnotions:Certicatebirth:WedenethebirthofanSSLcerti-catetobethedateoftherstscanwhereweobservedanyhostadvertisingthatcerticate.Forhoststhatweobservedadvertisingacerticateontheveryrstscan(October30,2013),wedenethesecerticatestohavenobirthdate,sincewedonotknowwhentheywererstadvertised.4 4Ofcourse,somecerticatesmayhavebeenmissedontherstscanifthehostwasdown;thesecerticateswouldlikely Figure5:Numberofcerticatebirth,deaths,reissues,andrevocationsovertime.Notethelogscaleonthey-axis.Certicatedeath:Deningthedeathofacerticateismorecomplicated,asweobserveanumberofinstanceswheremanyhostsadvertiseagivencerticate,andthenallbutoneorafewofthehostsswitchovertoanewcerticate(presumably,thesiteintendedtoretiretheoldcerticate,butmissedsomeofthehosts).Tohandlethesecases,wecalculatethemaximumnumberofhoststhatwereeverad-vertisingeachcerticate.WethendenethedeathofanSSLcerticatetobethelastdatethatthenumberofhostsadvertisingthecerticatewasabove10%ofthatcerticate'smaximum.The10%thresholdpreventsusfromincorrectlyclassifyingcerticatesthatarestillwidelyavailableasdead,evenifthecerticatehasbeenreissued.Notethatcerti-catesmaynothaveadeathdateifthecerticateisstilladvertisedbymanyIPaddressesonourlastscan.AnexampleofcerticatelifetimeisshowninFigure4,forthecerticatesform.scotrail.co.uk.AllhostsexceptoneswitchtoanewcerticateafterFebruary10,2014;thislonehostnallyswitchesonApril28,2014.Inthiscase,wewouldconsiderthedeathdateoftheoldcerticatetobeFebruary10,2014(asindicatedinthegure),andwewouldconsiderthenewcerticatetohavenodeathdate.Basedonthesedenitions,wecannowdenethenotionofacerticatereissueandrevocation:Certicatereissue:Weconsideracerticatetobereissuedifthefollowingthreeconditionshold:(a)weobservethecerticatedie,and(b)weobserveanewcerticateforthesameCommonNamebornduringascanwithin10days5ofthecerticate'sdeath,and(c)weobserveatleastoneIPaddressswitchfromtheoldcerticatetothenewbetweenthetwoscans.Wedenethedateofthecerticatereissuetobethedateofthecerticate'sdeath.Forthesakeofclarity,werefertotheoldcerticatethatwasreplacedastheretiredcerticate.Certicaterevocation:Weconsideracerticatetobere-vokedifthecerticate'sserialnumberappearsinanyofthecerticate'sCRLs.ThedateofrevocationisprovidedintheCRLentry. showupinthesecondscan(andwouldhaveabirthdateofthenextscan).ThisisthecauseofthesmallspikeinbirthsonNovember2,2013inFigure5.5Wechoose10daysasathresholdasthisisthemaximumdierencebetweentwosuccessivescans. 0 2 4 6 8 10 12 14 16 18 20 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Number of Unique HostsAdvertising CertificateDateInferred reissue date Old certificate New certificate 1 10 100 1000 10000 100000 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Number of Certificates/DayDateHeartbleed Birth Death Reissue Revoke Figure6:FractionofdomainsthathaveatleastonehostthatwasevervulnerabletoHeartbleedasafunctionofAlexarank,aswellasdomainsthatcontinuedtobevulnerableattheendofthestudy.InFigure5,wepresentthenumberofcerticatebirths,deaths,reissues,andrevocationsperdayovertime.Thenumberofbirthsisalmostalwayslargerthanthenumberofdeaths,meaningthatthetotalnumberofcerticatesin-the-wildisincreasingovertime.Furthermore,weobservealargespikeinallfoureventsinthewakeofHeartbleed,withanespeciallylargeincreaseinthenumberofrevocations.Forexample,weseeanaverageof29certicaterevocationsperdaybeforeHeartbleed;afterHeartbleed,thisjumpstoanaverageof1,414revocationsperday.4.2HeartbleedPrevalenceWepresentabriefanalysisonthenumberofcerticateshostedbymachinesthatwereevervulnerabletoHeartbleed.Ofthe428,552leafcerticatesthatwerestillaliveonthelastscan,weobserve122,832(28.6%)ofthemadvertisedbyahostthatwaslikelyvulnerabletoHeartbleedatsomepointintime.6Thesecerticatesarefor117,112uniqueCommonNamesandcomefrom70,875uniqueAlexaTop-1Mdomains.Ofthesecerticates,11,915certicates(from10,366uniquedomains)wereonhoststhatwerestillvul-nerableatthetimeofourcrawl(April30,2014,overthreeweeksaftertheannouncementofHeartbleed).Thisresultdemonstratesthateveninthewakeofawell-publicized,se-veresecurityvulnerability,around10%ofvulnerablesiteshavenotyetaddressedtheunderlyingissuethreeweeksaf-terthefact.InFigure6,wepresentthefractionofdomainsthathaveatleastoneSSLhostthatwasevervulnerabletoHeart-bleed(orstillwasasofApril30,2014).Wecanobserveaslightincreaseinlikelihoodofeverbeingvulnerableforthemostpopularsites,butthedistributionquicklystabilizes.Again,theincreasedlikelihoodofbeingvulnerableislikelybecausethesesiteshavelargernumbersofhosts.ThistrendismirroredinthehoststhatarestillvulnerableonApril30,2014.4.3CerticateReissuesWenowexaminethereissuingofSSLcerticatesinthewakeofHeartbleed.NotallSSLcerticatereissuesthatweobservefollowingHeartbleed'sannouncementareduetotheHeartbleedvulnerability.Inparticular,reissuescanhappen 6Thisfractionissomewhathigherthanthe17%ofsitesthatNetcraftfoundtobevulnerable[22],butwenotethatwearemeasuringcerticatesfromtheAlexaTop-1MwhileNetcraftismeasuringallSSL-enabledsitesontheInternet. Figure7:Cumulativedistributionofthenumberofdaysbeforeexpirationthatcerticatesarereissued.foratleasttwootherreasons:First,theoldcerticatecouldbeexpiringsoon,andtheorganizationreissuesthecerticateasitwouldnormally.InFigure7,wepresentthecumulativedistributionofthenumberofdaysbeforeexpirythatweobservecerticatesbeingreissued.Weseethatover50%ofcerticatesarereissuedwithin60daysoftheirexpirydate(withalongtail).Second,asitemayperiodicallyreissuecerticatesasamatterofpolicy(eveniftheoldcerticatewasnotnearexpiration).Forexample,Figure8presentsagraphshowingtheprevalenceofthewww.google.comcerticatesovertime,witheachlinerepresentingthenumberofhostsadvertisingadierentcerticate.Googletypicallyreissuesthiscerticateeverytwoweeks,despitethefactthatthecerticatesaretypicallyvalidformorethanthreemonths.Inthisstudy,wewouldliketobeabletodistinguishaHeartbleed-inducedcerticatereissuefromareissuethatwouldotherwisehavehappenedanyway.Wedenethereis-sueofacerticatetobeHeartbleed-inducedifallthreeofthefollowingconditionshold:1.ThedateofreissuewasonorafterApril7,2014(thedayHeartbleedwasannounced).WenotethatasmallnumberoforganizationswereinformedaboutHeart-bleedbeforethepublicannouncement;asthislistisnotfullyknown,wedonotconsiderthemseparately.2.Thecerticatethatisreissuedwasgoingtoexpiremorethan60daysafterthereissue.Thiseliminatescerticatesthatwereverylikelytobereissuedinthenearfutureanyway. Figure8:Exampleofcerticatebirthanddeathforcer-ticatesforwww.google.com.Googlereissuesthiscerticateaboutonceeverytwoweeks(eachimpulserepresentsadif-ferentcerticate). 0 0.1 0.2 0.3 0.4 0.5 0.6 0 200k 400k 600k 800k 1M Fraction of DomainsAlexa Site Rank (bins of 10,000)Was ever vulnerable Still vulnerable on 2014-04-30 0 0.2 0.4 0.6 0.8 1 0 50 100 150 200 250 300 350 400 CDFDays before Certificate Expiry 0 500 1000 1500 2000 2500 3000 3500 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Number of Unique HostsAdvertising CertificateDate Figure9:NumberofHeartbleed-inducedandnon-Heartbleed-inducedcerticatereissuesovertime.3.WedonotobservemorethantwootherreissuesforcerticateswiththatCommonNameinthetimebe-foreHeartbleed.Thisimpliesthatcerticateswiththatnamedonottypicallygetreissuedmorethanonceevery3months(asfaraswecanobservefromourdataset),asourdatasetbeginsonOctober30,2013(slightlyover5monthsbeforetheannouncementoftheHeartbleedvulnerability).Thus,fortheexamplesshownsofar,wewouldnothaveconsideredthereissueoftheretiredcerticateinFigure4tobeHeartbleed-induced(asithappenedbeforeHeartbleed),andwewouldalsohavenotconsideredanyofGoogle'sreis-suesinFigure8tobeHeartbleed-induced(becauseweob-servedatotalof12reissuesofcerticateswiththatCom-monNamepriortoHeartbleed).ItisimportanttonotethatHeartbleed-inducedreissuescanhappenforcerticatesthatweneverobservedonavulnerablehost,eitherbecausewefalselydeclaredthecerticatetonotbevulnerable(seex3.4)orbecausethesitereissuedoutofanabundanceofcaution,eventhoughtheywerenotactuallyvulnerable.Giventhesethreeconditions,weexpectthatourestimateofHeartbleed-inducedreissuesisastrictlowerbound.Heartbleed-inducedreissues.Overall,weobserve36,781certicatereissuesthatwedeclaretobeHeartbleed-inducedinthethreeweeksfollowingtheannouncement;thisis8.9%ofallcerticatesthatwerealiveatthetimeHeart-bleedwasannounced.InFigure9,wepresentthenumberofHeartbleed-inducedandnon-Heartbleed-inducedcerti-catereissuesovertime.Weobservethatthenumberofnon-Heartbleed-inducedreissuesisrelativelystable|evenafterHeartbleed|suggestingourdesignationofHeartbleed-inducedreissuesislikelyaccurate.Theslightspikeinnon-Heartbleed-inducedreissuesafterApril7mayre ectthatourapproachyieldsaconservativeunderestimateofthenumberofHeartbleed-inducedreissues.Next,weexaminethefractionofsitesthathaveatleastoneHeartbleed-inducedcerticatereissue,asafunctionofAlexarank.Figure10presentstheseresults;wecanobserveastrongcorrelationwithAlexarank.Higher-rankedsitesaremuchmorelikelytohavereissuedatleastonecerticateduetoHeartbleed(eventhoughtheyareonlyslightlymorelikelytohavebeenvulnerable,asobservedinFigure6).Thisresultcomplementspreviousstudies'ndingsthatmorepopularwebsitesoftenexhibitmoresoundadministrativepractices[8,17].Vulnerablecerticates.Next,weexaminethecerticatesthatshouldhavebeenreissued(regardlessofwhetherthey Figure10:FractionofdomainsthathaveatleastoneHeartbleed-inducedreissue/revocationasafunctionofAlexarank.actuallywere);werefertothesecerticatesasvulnerablecerticates.Wedeclareacerticatetobevulnerableifthefollowingthreeconditionshold:1.ItsdateofbirthwasbeforeApril7,2014,2.IthasnotexpiredasofApril30,and3.Itwasadvertisedbyatleastonehostthatwas(oris)vulnerabletoHeartbleed.Inotherwords,thesecerticatesarevulnerablebecausetheirassociatedprivatekeyscouldhavebeenstolenbyat-tackers.Overall,wend107,712vulnerablecerticates.Ofthese,weobservethatonly28,652(26.7%)havebeenreissuedasofApril30.Theremaining79,060(73.3%)vulnerablecerti-catesthathavenotbeenreissuedcomefrom55,086dier-entAlexaTop-1Mdomains.Thus,thevastmajorityofSSLcerticatesthatwerepotentiallyexposedbytheHeartbleedbugremainin-useoverthreeweeksafterthevulnerabilitywasannounced.Reissueswithsamekey.Systemadministratorswhobe-lievethattheirSSLprivatekeymayhavebeencompromisedshouldgenerateanewpublic/privatekeypairwhenreissu-ingtheircerticate.Wenowexaminehowfrequentlythisisdone,bothinthecaseofnormalcerticatereissuesandforHeartbleed-inducedreissues.Werstobservethat,ingeneral,reissuingacerticateusingthesamepublic/privatekeypairisquitecommon.Figure11presentsthefractionofallnewcerticatesthatusethesamekeyastheonetheyarereplacing;upto53%ofallreissuedcerticatesdoso.Thishighlevelofkeyreuseis Figure11:Fractionofnewcerticatesthatusethesamepublic/privatekeypairasthekeytheyarereplacing. 0 0.05 0.1 0.15 0.2 0.25 0.3 0 200k 400k 600k 800k 1M Fraction of Sites withHeartbleed-inducedReissue/RevocationAlexa Site Rank (bins of 10,000)Reissue Revocation 0 0.1 0.2 0.3 0.4 0.5 0.6 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Fraction of New CertificatesReissued with the Same KeyDate of BirthHeartbleed All reissues Heartbleed-induced reissues 0 500 1000 1500 2000 2500 3000 3500 4000 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Number of Certificates/DayDateHeartbleed Non-Heartbleed-induced Heartbleed-induced Figure12:NumberofdomainsthatrevokedatleastonecerticateovertimeforthemonthbeforeandafterHeart-bleed.atleastpartiallyduetosystemadministratorsre-usingthesameCerticateSigningRequest(CSR)whenrequestingthenewcerticatefromtheirCA.InthewakeofHeartbleed,weobserveasignicantdropinthefrequencyofreissuingcerticateswiththesamekey;thisresultindicatesthatsitesaregeneratinganewkeypairmorefrequently.However,ifwefocusontheHeartbleed-inducedreissues,weobservethatanon-trivialfraction(4.1%)ofthesecerticatesarereissuedwiththesamekey(therebydefeatingthepurposeofreissuingthecerticate).Infact,weobserveatotalof912suchcerticatescomingfrom747distinctAlexadomains.4.4CerticateRevocationWenowturntoinvestigatingcerticaterevocationbefore,during,andaftertherevelationofHeartbleed.Recallthatitiscriticalthatavulnerablecerticateberevoked:evenifasitereissuesanewcerticate,ifanattackergainedaccesstothevulnerablecerticate'sprivatekey,thenthatattackerwillbeabletoimpersonatetheowneruntileitherthecerti-cateexpiresorisrevoked.7Westudybothrevocationandexpirationhere,andcorrelatethemwithratesofreissue.Contrarytostandardassumptions,wendthatrevocationandreissuesdonothappensimultaneously.Overallrevocationrates.Figure5showsthenumberofcerticaterevocationsovertime;asnotedabove,theav-eragejumpsfrom29certicatesrevokedperdayto1,414post-Heartbleed.However,thespikeonApril16,2014issomewhatmisleading,asitwaslargelyduetothemass-revocationof19,384CloudFlarecerticatesoftheformss-lXXXXX.cloudflare.com[31].Tomitigatethisissue,weplotinFigure12thenumberofuniquedomainsthatrevokedatleastonecerticateovertime.Wemakethreeinterestingobservations:First,themagnitudeoftheHeartbleed-inducedspikeisgreatlyre-duced,butwestillobserveanup-to-40-foldincreaseinthenumberofdomainsissuingrevocationsperday.Second,weobservethatthenumberofdomainsissuingrevocationsfallsclosertoitspre-HeartbleedlevelbyApril28th,suggestingthatmostofthedomainsthatwillrevoketheircerticateindirectresponsetoHeartbleedalreadyhave. 7Wenotethatrevocationaloneisofteninsucienttopre-ventimpersonation,asanattackermaybeabletopreventtheclientfromaccessingtheCRL.Inthiscase,manywebbrowsersstillacceptthecerticateasvalid[18]. Figure13:Fractionofreissuedcerticatesthatarerevokedwithintwoweeksofbeingretired.AsignicantincreaseinrevocationprobabilityisobservedafterHeartbleed.Third,weobservethree\dips"inthepost-Heartbleedre-vocationrateonApril13th,April20th,andApril27th|allweekends,indicatingthatfarfewerrevocationsoccurontheweekendrelativetotherestoftheweek.Thisperiodicitycanalsobe(less-easily)observedinthepre-Heartbleedtimeframe.Itisreasonabletoassumerevocationsdiponweek-endsbecausehumansareinvolvedintherevocationprocess,howeveritisnotclearwhoisresponsibleforthedelays:isitsiteadministratorsorCRLmaintainersatCAs(orboth)whoarenotworkingonweekends?Regardlessofwhoisre-sponsible,theseweekenddelaysareproblematicforonlinesecurity,sincevulnerabilities(andtheattackerswhoexploitthem)donottakeweekendso.Revocationofreissuedcerticates.Wenowexaminethefractionofretiredcerticates(i.e.,oldcerticatesthathavebeensupersededbyareissuedcert)thatarerevokedwithintwoweeksofbeingretired.Figure13plotsthisfrac-tionovertime.Forexample,thepointonMarch3,2014showsthat2.2%ofthecerticatesretiredonthatdaywererevokedbyMarch17,2014.Overall,weseethatbetween2%and3%ofcerticatesbeingretiredareeventuallyre-voked.ThisprobabilityincreasesbyanorderofmagnitudeafterHeartbleed,withalmost40%ofretiredcerticatesbe-ingrevokedquicklyafterwards.ThisresultsuggeststhatthereasonmanycerticateswerereissuedjustafterApril7wasbecauseofHeartbleed,sincetheretiredcerticateswerealsorevoked.Thiscontrastswithcerticatesthatarereis-suedduetoimpendingexpiration,inwhichcasetheretiredcerticatedoesnotneedtoberevoked.Heartbleed-inducedrevocations.Similartocerticatereissues,notallcerticaterevocationsafterApril7,2014arenecessarilyduetoHeartbleed(e.g.,thesitecouldhaveexposedtheirprivatekeyduetoadierentvulnerability).WethereforedeneaHeartbleed-inducedrevocationtobeacerticaterevocationwherethecerticatehadaHeartbleed-inducedreissue(seex4.3).Overall,weobserve14,726Heartbleed-inducedrevoca-tions;thiscorrespondsto40%ofallHeartbleed-inducedreissuedcerticates.Thus,60%ofallcerticatesthatwerereissuedduetoHeartbleedwerenotrevoked,implyingthat,ifthecerticate'sprivatekeywasactuallystolen,theat-tackerwouldbeabletoimpersonatethevictimwithoutanyclientsbeingabletodetectit.Figure10presentsthefractionofsitesthathaveatleastoneHeartbleed-inducedcerticaterevocation,asafunctionofAlexarank.Revocationsfollowasimilartrendtoreis- 0 200 400 600 800 1000 1200 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Number of Domains/DayDateHeartbleedWeekend 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Fraction of CertificatesRevoked within Two Weeksof Being RetiredDate of RetirementHeartbleed Figure14:Cumulativedistributionofthenumberofdaysbetweenwhenacerticateisreissuedandwhenitisrevoked.Positivevaluesindicatethecerticateisreissuedbeforeitisrevoked;negativevaluesindicatetheopposite.sues,i.e.,siteswithhighrankareslightlymorelikelytorevoke.Ideally,thetwolinesinFigure10shouldbecoin-cident,i.e.,allsitesreissuingcerticatesduetoHeartbleedshouldalsohaverevokedtheretiredcerticates(theonlyexceptiontothisruleisiftheretiredcerticatewasabouttoexpireanyway,butweaccountforthisinourdenitionsofHeartbleed-inducedreissuesandrevocations).Thisresulthighlightsaseriousgapinsecuritybest-practicesacrossallofthesitesintheAlexaTop-1M.Finally,weexaminetherevocationspeed,orthenumberofdaysbetweenwhenacerticateisreissuedanditisrevoked.Figure14presentsthecumulativedistributionoftherevoca-tionspeedforbothHeartbleed-inducedandnon-Heartbleed-inducedrevocations.Tomakethedistributionscomparable,weonlylookatdierencesbetween-10and10days(recallthatHeartbleed-inducedreissuesandrevocationscanonlyoccurafterApril7,2014,limitingthatdistribution).Weob-servethatHeartbleed-inducedrevocationsappeartohappenslightlymorequickly,thoughtnottotheextentonemightexpect,giventheurgentnatureofthevulnerability.Wealsoobservethatrevocationalmostalwayshappensafterreissue,whichislikelyexplainedbythemoremanualprocessthatrevocationoftenentails.Thisresultcontradictspreviousassumptions[8]thatrevocationsandreissuesoccursimulta-neously.Finally,itisworthnotingthatthegranularityofourscansmakesgeneralizingtheseresultsdicult,sincewecannottellexactlywhenacerticatewasreissued;however,thetwodistributionsarecomparabletoeachother.Expirationsarenotenough.Todemonstratehowlongtheeectsofthisvulnerabilitycouldbefeltifsitesdonotrevoketheirvulnerablecerticates,weanalyzecerticatesthat,bytheendofourdatacollection,werefoundtobevulnerable(andalive)whenHeartbleedwasannounced,reis-suedthereafter,butneverrevoked.Figure15presentsthedistributionofhowmuchlongersuchcerticateswillcon-tinuetoliveiftheirsitesdonotrevokethem.NotethatthisCDFappearstobepiecewiselinearatintervalsof1year:thisisbecauseexpirationdatesaretypicallysetatintervalsofayear|thatthedistributionisroughlyuni-formwithintheseyearintervalsindicatesthatcerticatesareissuedmostlyuniformlythroughouttheyear.Thisgureshowsthat,withoutrevoking,thevulnerabilityintroducedin2014couldaectclientsthrough2020.Weconcludefromthisthat,giventhemeagerratesofrevocation,itwouldbehelpfulforCAstoshifttoshorterexpirytimesintheircer-ticates. Figure15:Thedistributionoftime-until-expiryforvul-nerable,reissued,butnotrevokedcerticates.Ifthesecer-ticatesareneverrevoked,thisgureshowshowlongtheywillpersist.CRLreasoncodes.TheCRLspecicationallowsthemaintainersofCRLstoincludeareasonforwhyacerticatewasrevokedalongwiththerevocationintheformofasmallsetofreasoncodes.Thereasoncodeisoptional,andtheoptionsrangefrom\Unspecied"to\KeyCompromised"to\PrivilegeWithdrawn"[6].NotethattheCRLreasoncodesarenotnecessarilyveriedbythecerticateauthorities,andtheymaybeincorrect.Forallofthecerticatesthatweobservedtoberevoked,weextractedthereasoncode(ifoneexisted);wepresentthedistributionofthesereasoncodesforbothHeartbleed-inducedandnon-Heartbleed-inducedcerticatereissuesinFigure16.Notethelog-scaleonthex-axis.Wemaketwokeyobservations.First,weseeasigni-cantincreaseintheprobabilityofareasoncodebeingpro-videdatallforHeartbleed-inducedrevocations:only19.2%ofnon-Heartbleed-inducedrevocationsprovideanyreasoncode(includingthe\Unspecied"reasoncode),while27.1%onHeartbleed-inducedrevocationsprovideareasoncode.Second,weobservealargeincreaseinthe\KeyCompro-mise"reasoncode(from0.40%to1.18%ofallCRLentries);giventhatHeartbleedcerticatesarelikelybeingreissued Figure16:DistributionofCRLreasoncodesgivenforbothHeartbleed-inducedandnon-Heartbleed-inducedcer-ticatereissues.Notethelogscaleonthex-axis.Weob-serveanincreaseinreasonsforrevocationsbeinggivenforHeartbleed-inducedreissues,especiallyforthe\KeyCom-promised"reasoncode. 0 0.2 0.4 0.6 0.8 1 -10 -5 0 5 10 CDFDays from Reissue to RevocationNon-Heartbleed-induced Heartbleed-induced 0 0.2 0.4 0.6 0.8 1 0 1 2 3 4 5 6 CDFYears of Remaining Validity 0.0001 0.001 0.01 0.1 1 Fraction of RevocationsNo Reason CodeUnspecifiedKey CompromiseAffiliation ChangeSupersededCessationCertificate HoldPrivilege WithdrawnNon-Heartbleed-induced Heartbleed-induced Figure17:CumulativedistributionofthetimebetweenwhenwedownloadedtheCRLs(6:00pmEST)andthetimeofissuerecordedintheCRL(andsignedbytheCA).MostCAshaveachancetorevokecerticatesatleastonceaday,as95%oftheCAsupdatedtheirCRLswithin24hoursofwhenwedownloadedthem.duetoconcernsthattheprivatekeymayhavebeencompro-mised,thisincreaseisnotunexpected.However,itstillap-pearsthatvastmajorityofCRLentriesaremis-coded.PriorworkhasalsonotedthatCRLsareusuallymis-coded[8],al-thoughthesnapshotwepresentinFigure16isevenmorestark,giventhatweknowHeartbleed-inducedrevocationsshouldhavebeenrevokedwithareasoncodeof\KeyCom-promise".CRLupdateintervals.Thegenerallackofsiteadmin-istratorsrevokingcerticateswhentheyshould(e.g.,afterHeartbleed)couldbeattributedtotheCAsonlyupdatingtheirCRLsonverylongtimescales.Forexample,onerea-sonforthiswouldbeifCAskepttheirprivatekeysonoinehoststhatwouldhavetobepoweredoneverytimetosignCRLs.AnotherreasonwouldbesoclientsdonotneedtodownloadnewCRLsveryoften.Figure17indicatesthatneitherofthesereasonsaretrue.Thisgureshowsthecumulativedistributionofthedier-encebetweenthetimewedownloadedaCRLandthetimeitwasissued.Weseethat95%ofCAssignedafreshCRLwithin24hoursof6:00pmEST(whenwedownloadedtheCRLs).WhenCAssignafreshCRL,theyhavetheopportu-nitytorevokemorecerticates.TheseresultssuggestthatCAscouldrevokecerticatesasoftenaseveryfewhours.Thus,anydelaysintherevocationofcerticatesareduetohumansintheloop:eithercerticateownerswhoarenotre-portingpotentiallycompromisedkeys,orCApersonnelwhoarenotmanuallyaddingnewentriestoCRLsbeforetheyaresignedandshipped.Anotherimportantfactorinthecontextofclientimpactiswhen(andwhether)clientsobtainedthelistofrevocations.Unfortunately,weareunabletoanswerthisquestiongivenourdatacollectionmethodology(itwouldrequireinstru-mentingend-hoststoseewhenpreciselytheirbrowsersandoperatingsystemsfetchedCRLsorissuedOCSPqueries).Suchastudyisaninterestingareaoffuturework.However,thereisoneaspectofthisproblemtowhichwemaybeabletolendinsight;itwasrecentlyreportedthatmanybrowsersdonotevenbothertocheckcerticates'CRLs,withtheexceptionofextendedvalidation(EV)certicates[7].WenextturntoananalysisofhowtheseEVcerticatesarereissuedandrevokedincomparisontotheentirecorpusofcerticates. Figure18:TherateatwhichvulnerablecerticateswerereissuedandrevokedafterHeartbleed'sannouncement.(Notethatthey-axisdoesnotbeginatzero.)4.5ExtendedValidationCerticatesRecallthatoneofthemajorrolesofaCAistovalidatetheidentityofthesubjectsforwhomitissuescerticates.ExtendedValidation(EV)certicatesareameansbywhichCAscanexpressthatthisidentity-vericationprocesshasfollowedasetof(presumablystringent)establishedcriteria.EVcerticatesarestandardX.509certicates,andoernoadditionalsecurityperse,buttherationaleisthatwithamorethoroughvericationprocessbytheCAs,thesecer-ticatescanbemorereadilyveriedandtrustedbyusers.8Thatsaid,thereremainsconcernastowhetherornotthistrustiswell-placed.WeclosethissectionbyinvestigatingtherateatwhichvulnerableEVcerticateswererevokedandreissuedascomparedtotheentireaggregateofcerti-cates.Figure18showsthefractionofvulnerablecerticatesthathaveyettobereissuedorrevokedovertime.Inthisgure,theinitialyvaluesdonotallstartat1.0forreissues:thisisbecause,withcoarsegranularityofourdata,wecannotbecertainwhethersomecerticateswerereissuedimmediatelyafterthescanonApril7,2014,immediatelybeforethescanonApril10,2014,orinbetween.Wethereforeprovidethemostoptimisticpossibility:ifweknowacerticatewasreis-suedbetweendaysdandd+k,thenweplotitashavingbeenreissuedondayd.ThecoarsegranularityofthescansalsoexplainswhythereissuelinesdonotadvancebeyondApril21.Regardless,onetrendthatremainsclearisthatsitesaremoreproactiveinreissuingnewcerticatesthaninrevokingoldones.Thiscontradictspriorassumptionsthatrevoca-tionsandreissuesoccursimultaneously[8].Indeed,itisnotyetcleartouswhyasitewouldreissueavulnerablecerti-catewithoutrevokingit,butthesetrendsdemonstratethatitisacommonpractice,evenforthosewithEVcerticates.Thisgureshowsagenerallybleakviewofhowthoroughlysitesrevokeandreissuetheircerticateswhennecessary.Notethatthey-axisbeginsat0.65:threeweeksaftertherevelationofHeartbleed,over87%ofallcerticateswefoundtobevulnerablehaveyettoberevoked,andover73%ofthemhaveyettobereissued.Ofthosethatdidrevoketheircerticates,wendthatthespeedatwhichtheydidsomatchesthatofearlierstudiesonthespreadofpatches[25,27]:thereisanexponentialdrop-o,followedbyagradualdecline.Specically,the\Notrevoked(all)"linetsthe 8ManybrowserspresentEVcerticateswithagreenboxintheaddressbar,whilenon-EVcerticatesareoftenjustrepresentedwithagraylockicon. 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0.1 1 10 100 1000 10000 100000 CDFAge of CRL (hours) 0.65 0.7 0.75 0.8 0.85 0.9 0.95 1 04/07 04/11 04/15 04/19 04/23 04/27 Frac. of Vulnerable Certificatesnot Revoked/ReissuedDateNot revoked (all)Not reissued (all) curve0:179e�0:073x+0:830,whilethe\Notrevoked(EV)"linetsthecurve0:144e�0:118x+0:859.Overall,EVcerticatesfollowsimilartrendstotheen-tirecorpus,withaslightlyfasterandmorethoroughre-sponse.Interestingly,whileEVcerticateswererevokedmorequickly,theirnon-EVcounterpartscaughtupwithintendays;however,EVcerticateswerereissuedbothmorequicklyandmorethoroughly.Weexpectthattheunder-lyingcauseofthisobservationisaself-selectioneect,i.e.,security-conscioussitesaremorelikelytoseekoutEVcer-ticatesintherstplace.WedoubtthattheadditionalidentityvericationstepsrequiredtoobtainanEVcerti-cateplayalargeroleinthis(slightly)improvedreactiontoHeartbleed.Nonetheless,therearestillmanyvulnerableEVcerticatesthathavenotbeenreissuedtwoweeksaftertheevent(67%)andthathavenotbeenrevokedthreeweeksafter(87%).5.RELATEDWORKOurworkliesattheintersectionoftwogeneralareasofpriorwork:studiesofhoweectivelyadministratorsreacttowidelypublicizedvulnerabilities,andmeasurementsoftheTLS/SSLcerticateecosystem.Tothebestofourknowl-edge,wearethersttolookspecicallyathowpotentiallycompromisedcerticatesarereplacedandrevoked.Vulnerabilitypatching.Therehavebeenseveralstud-iesofhowquicklyandeectivelyadministratorspatchwell-knownsoftwarevulnerabilities.Rescorlameasuredtheresponsetoa2002buerover owvulnerabilityinOpenSSL[27],andRamosinvestigatedhowthefractionofvulnerablesystemschangesaftervarioussecurityholesfrom2000{2005hadbeenpublished[25].Bothofthesestudiesfoundanexponentialdecreaseinthefractionofvulnera-blehostsshortlyafterpublicrevelationofthevulnerability,followedbyagradualdeclinethereafter.Interestingly,inRescorla'sstudy,anothersharpdeclineinthenumberofvulnerablehostsoccurredafterthereleaseoftheSlapperwormwhichexploitedthebuerover ow.CloselyrelatedtoourstudyisthatofYileketal.,whomeasuredtheaftermathofa2008vulnerabilityinDebian'sOpenSSLkeygenerationthatresultedinpredictableRSAkeys[35].Whatmakesthisworkparticularlyrelatedtooursisthatxingthevulnerabilityrequirednotonlypatch-ingOpenSSL,butalsoreissuingnewkeys.Theyfoundthatthisprocessresultedinagradualdeclineinthefractionofvulnerablehosts,asopposedtothesharpexponentialdecaywhenonlypatchingthesoftwareisnecessary.However,be-causetheirdatacollectiononlybeganseveraldaysafterthevulnerabilitywasreleased,thesharpdeclinemayhaveoc-curredbutgoneunnoticed.OurdatacoversmonthsleadinguptoandweeksafterHeartbleed,allowingusmorecon-denceintheinitialdrop-oofvulnerabilities.Ourworkbroadlybuildsonthesepriorstudiesinthatwefocusonadierent,thoughequallyimportant,aspectofthevulnerabilityxingcycle:whenpotentiallycompro-misedcerticateswerenotonlyreplaced,butexplicitlyre-voked.Theconnectionbetweenpatchingsoftware,reissuingnewcerticates,andrevokingoldoneshas,tothebestofourknowledge,notbeenexplicitlystudied.Thoughithadbeenpreviouslybelievedthatrevocationsandreissuesoccursimultaneously[8],ourresultsdemonstratethatrevocationsareoftenosetintime,orsimplyneveroccuratall.Thecerticateecosystem.Infocusingonvulnerabil-ityxingasitpertainstocerticates,ourworkisalsore-latedtorecentstudiesofthecerticateecosystematlarge.Holzetal.[17]performedpassiveandactivemeasurementsonHTTPScerticatesfromtheAlexaTop-1Mdomains.Durumericetal.[8]performedactivemeasurementsusingZMap[10]thatyieldednearly40morecerticatesthanpriorstudies[11,16,17].Broadly,thesestudiesexposedsev-eralgrimpropertiesoftoday'scerticateecosystem,includ-ingweakerkeylengthsthansuggestedbyNIST[3],longercerticatechainsthannecessary,invalidsubjectnames,andsoon.Comparingthesestudiestooneanother,itappearsthattheAlexaTop-1Msites|thoughstillfarfromperfect|domanagecerticatesmoreappropriatelyonaverage,withaslightweighttohigher-rankeddomains.LikeHolzetal.,ourworkfocusessolelyontheAlexaTop-1M;weexpectthatexpandingtomoredomainswould,asDurumericetal.found[8],resultinlesseectivecerticatemanagement,thoughthisisanareaoffuturework.Whilethesestudieshaveshedconsiderablelightonthecerticateecosystem(andfoundittobesurprisinglybleak),ourstudyisthersttoexplicitlyconsiderreissuesandre-vocations,particularlyinthewakeofawidespreadvulner-ability.Durumericetal.[8]brie yinvestigatedcerticaterevocations,andfoundthatamere2.5%ofthecerticatestheyencounteredwereeverrevoked|ofthese,themajoritygavenoreasoncode.ByusingHeartbleedasawide-scalecorrelatedevent,wecomplementthispriorworkbyinvesti-gatingwhichcerticatesshouldhavebeenrevoked,andwhentherevocationsshouldhavetakenplace.Inthecontextofthecerticateecosystem,webelievethistobenovel.Heartbleed.TherecentnatureoftheHeartbleedvulnera-bilitymeanslittlescienticworkhasyettocomeoutstudy-ingthevulnerabilityitselfandthecommunity'sreactiontoit.Themostcloselyrelatedwork|astudyperformedcon-currentlywithourown|presentsacomprehensivestudyofthebreadthofthevulnerability,theclean-up,andsurveysofadministratorswhofailedtopatchtheirservers[9].In-terestingly,thestudyleverageshistoricpackettraces[19]tolookforevidenceofHeartbleedexploitationbeforetheannouncementandndsnoevidencethatthevulnerabil-itywasexploitedbeforehand.Thisstudyandourownarecomplementary|theirsbrie yexaminesSSLcerticatereis-suesandrevocations,andtheresultsoftheiranalysisareinagreementwithours.6.CONCLUDINGDISCUSSIONInthispaper,westudyhowSSLcerticatesarereis-suedandrevokedinresponsetoawidespreadvulnerabil-ity,Heartbleed,thatenabledundetectablekeycompromise.Weconductedlarge-scalemeasurementsanddevelopednewmethodologiesandheuristicstodeterminehowthemostpopular1millionwebsitesreactedtothisvulnerabilityintermsofcerticatemanagement,andhowthisimpactsse-curityforclientsthatusethem.Wefoundthatthevastmajorityofvulnerablecerticateshavenotbeenreissued;further,ofthosedomainsthatreis-suedcerticatesinresponsetoHeartbleed,60%donotre-voketheirvulnerablecerticates|iftheydonoteventuallybecomerevoked,20%ofthosecerticateswillremainvalid(notexpire)fortwoormoreyears.Theramicationsofthisndingsarealarming:modernWebbrowserswillre- mainpotentiallyvulnerabletomaliciousthirdpartiesusingstolenkeystomasqueradeasacompromisedsiteforalongtimetocome.WeanalyzedthesetrendswithvulnerableEVcerticates,aswell,andhavefoundthat,whiletheyex-hibitbettersecuritypractices,theystillremainlargelynotreissued(67%)andnotrevoked(88%)evenweeksafterthevulnerabilitywasmadepublic.Tothebestofourknowledge,ourfocusedstudyoncer-ticatereissuesandrevocationsistherstofitskind.Ourresultsare,insomeways,inlinewithpreviousstudiesontheratesatwhichadministratorspatchedvulnerablesoftware|forinstance,revocationratesfollowedasharpexponentialdrop-oshortlyafterthevulnerabilitywasmadepublic,andtaperedorelativelysoonthereafter.However,unlikewithsoftwarepatches,wendthevastmajorityofcerticateshavestillnotbeenreissuedorrevoked.Thesendingsin-dicatequitesimplythatthecurrentpracticesofcerticatemanagementaremisalignedwithwhatisnecessarytoensureasecurePKI.Surveyingsystemadministrators.Tohelpbetterun-derstandthereasonsbehindthelackofpromptcerticatereissuesandrevocations,weinformallysurveyedafewsys-temsadministrators.WeaskedwhatstepstheyhadtakeninresponsetoHeartbleed:didtheypatch,reissue,andre-voke,andifnot,thenwhynot?Wereceivedsevenresponses.Mostreportedpatchingtheirsystems,typicallyindirectre-sponse,butsomereliedonmanagedserversorautomaticup-datesandthereforetooknoHeartbleed-specicsteps.Therewassomevarianceinwhenpatcheswereapplied,duetoacombinationofscheduledrebootsanddelayedresponsesfromsomevendors,butthemajorityofpatcheswereap-pliedquickly.Forrevokingandreissuing,however,wesawawidespec-trumofbehavior.Fewbothrevokedandreissued,butamongthem,theydidsowithin48hours.Manyneitherrevokednorreissued;acommonreasonprovidedwasthatthevulnerablehostswereeithernothostingsensitivedataorwerenotrunningservicesthatweredeemedsensitiveenoughtowarrantit.Alongsimilarreasons,othersreportedhavingreissuedthecerticatebutnotrevoking,explainingthatthecerticateisonlyforinternaluse.Finally,othersreportedthattheydidnotperceivereissuingandrevokingasimpor-tantbecausetheyhadpatchedquicklyafterthebugwaspubliclyannounced(recall,however,thatthevulnerabilitywasintroducedovertwoyearsprior).Ourresultsfromthissmallsurveyshouldbeviewedanecdotally|amoreextensivesurveyoncerticateadmin-istrationisaninterestingareaoffuturework|buttheydoshedlightonsomeoftherootcausesofwhyrevokingandreissuingarenotonequalfootingwithpatching.Whilead-ministratorsalmostuniversallyunderstandtheimportanceofpatchingafteravulnerability,manydonotappreciateorknowabouttheimportanceofrevokingandreissuingcer-ticateswithnewkeys.Ofthoseadministratorswhodoun-derstandtheimportance,evensomeofthemreportedpush-backfromotherswhoperceivedtheprocessasbeingoverlycomplex.Insum,thispointstotheneedforbroadered-ucationonthetreatmentofcerticates,andperhapsmoreassistancefromCAstohelpensurethatalltheprescribedstepsaretaken.Lessonslearned.OurresultssuggestseveralchangestocommonPKIpracticesthatmayimprovesecurityinprac-tice.First,thepracticesoflowrevocationratesandlongexpirationdatesformadangerouscombination.Techniquesthatautomaterevocationwouldvastlyreducetheperiodduringwhichclientsarevulnerabletomaliciousthirdpar-ties.Similarly,settingreasonablyshortcerticateexpira-tiondates(assuggestedbyTopalovicetal.[34])bydefaultwillsignicantlyreducetheperiodduringwhichvulnera-blecerticatesarevalid.Second,mechanismsthatenableasimultaneousreissue-and-revokeforacerticatewillmakeitlesslikelythatinvalidcerticatesareacceptedbyclients.Third,wehavefoundthatmanydomains,whentheyreissueacerticate,continuetooertheold,vulnerablecerticate,aswell.Giventhelargenumberofcerticatesandhostsusingthemperdomaininourdataset,webelieveadminis-tratorswouldbenetfromtoolsthatmoreeasilytrackandvalidatethesetofcerticatestheyareusing.Futurework.Thispaperis,webelieve,therststepto-wardsunderstandingthemanualprocessofreissuingandrevokingcerticatesinthewakeofavulnerability.Severalinterestingopenproblemsremain.BecauseourdatafocusesontheserverandCAsideofthePKIecosystem,weareunabletodrawanydirectconclusionsastowhatclientsexperience.Ahost-centeredmeasurementstudywould,forinstance,allowustounderstandnotonlywhenrevocationswereaddedtoCRLs,butwhenclientsactuallyreceivedtheCRLs.Moreover,ourstudyopensmanyquestionsastowhythecerticatereissueandrevocationprocessesaresoexten-sivelymismanaged.Ourresultsreinforcepreviousndingsthatsitepopularityiscorrelatedwithgoodsecurityprac-tices,buteventhehighestrankedAlexawebsitesshowrela-tivelyanemicratesofreissuesandrevocations.Understand-ingtherootcausesisanimportantsteptowardsdevelopingsecureinfrastructuresthateectivelyincorporate(ormiti-gate)theend-useradministrators.Opensource.Ouranalysisreliedonbothexisting,publicsourcesofdataandthosewecollectedourselves.Wemakeallofourdataandouranalysiscodeavailabletotheresearchcommunityathttps://ssl-research.ccs.neu.eduAcknowledgmentsWethanktheanonymousreviewersandourshepherd,Je-lenaMirkovic,fortheirhelpfulcomments.WealsothankRapid7forcollectingtheSSLcerticatedata,theauthorsofZMapforcollectingtheHeartbleedvulnerabilitydata,andformakingitpubliclyavailable.Finally,wethankoursurveyrespondentsfortheircandidresponses.ThisresearchwassupportedinpartbyNSFgrantsCNS-1054233,CNS-1319019,andCNS-1150177,andanAmazonWebServicesinEducationgrant.7.REFERENCES[1]D.E.3rd.TransportLayerSecurity(TLS)Extensions:ExtensionDenitions,Jan.2011.IETFRFC-6066.[2]AlexaTop1MillionDomains.http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.[3]E.Barker,W.Barker,W.Burr,W.Polk,andM.Smid.RecommendationforKeyManagement{Part1:General(Revision3),2012.NISTSpecialPublication800-57. [4]BotanSSLLibrary.http://botan.randombit.net.[5]CERTVulnerabilityNoteVU#720951:OpenSSLTLSheartbeatextensionreadover owdisclosessensitiveinformation.http://www.kb.cert.org/vuls/id/720951.[6]D.Cooper,S.Santesson,S.Farrell,S.Boeyen,R.Housley,andW.Polk.InternetX.509PublicKeyInfrastructureCerticateandCerticateRevocationList(CRL)Prole.IETFRFC-5280,May2008.[7]R.Duncan.Howcerticaterevocation(doesn't)workinpractice,2013.http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html.[8]Z.Durumeric,J.Kasten,M.Bailey,andJ.A.Halderman.AnalysisoftheHTTPScerticateecosystem.InACMInternetMeasurementConference(IMC),2013.[9]Z.Durumeric,J.Kasten,F.Li,J.Amann,J.Beekman,M.Payer,N.Weaver,J.A.Halderman,V.Paxson,andM.Bailey.ThematterofHeartbleed.InACMInternetMeasurementConference(IMC),2014.[10]Z.Durumeric,E.Wustrow,andJ.A.Halderman.ZMap:FastInternet-wideScanningandItsSecurityApplications.InUSENIXSecuritySymposium,2013.[11]P.EckersleyandJ.Burns.AnobservatoryfortheSSLiverse.InDefcon18,2010.https://www.eff.org/files/DefconSSLiverse.pdf.[12]F.F.Elwailly,C.Gentry,andZ.Ramzan.QuasiModo:Ecientcerticatevalidationandrevocation.InPublicKeyCryptography(PKC),2004.[13]P.Evans.Heartbleedbug:RCMPaskedRevenueCanadatodelaynewsofSINthefts,2014.http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192.[14]Faketimelibrary.http://www.code-wizards.com/projects/libfaketime/.[15]B.Grubb.Heartbleeddisclosuretimeline:whoknewwhatandwhen,2014.http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.[16]N.Heninger,Z.Durumeric,E.Wustrow,andJ.A.Halderman.MiningyourPsandQs:Detectionofwidespreadweakkeys.InUSENIXSecuritySymposium,2012.[17]R.Holz,L.Braun,N.Kammenhuber,andG.Carle.TheSSLlandscape{AthoroughanalysisoftheX.509PKIusingactiveandpassivemeasurements.InACMInternetMeasurementConference(IMC),2011.[18]Revocationdoesn'twork.https://www.imperialviolet.org/2011/03/18/revocation.html.[19]S.Kornexl,V.Paxson,H.Dreger,A.Feldmann,andR.Sommer.Buildingatimemachineforecientrecordingandretrievalofhigh-volumenetworktrac.InACMInternetMeasurementConference(IMC),2005.[20]MacOSX10.9.2RootCerticates.http://support.apple.com/kb/HT6005.[21]S.Micali.NOVOMODO:ScalablecerticatevalidationandsimpliedPKImanagement.InPKIResearchWorkshop,2002.[22]P.Mutton.Halfamillionwidelytrustedwebsitesvulnerabletoheartbleedbug,2014.http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.[23]M.NaorandK.Nissim.Certicaterevocationandcerticateupdate.InUSENIXSecuritySymposium,1998.[24]OpenSSLProject.https://www.openssl.org.[25]T.Ramos.Thelawsofvulnerabilities.InRSAConference,2006.http://www.qualys.com/docs/Laws-Presentation.pdf.[26]Rapid7SSLCerticateScans.https://scans.io/study/sonar.ssl.[27]E.Rescorla.Securityholes...Whocares?InUSENIXSecuritySymposium,2003.[28]R.L.Rivest.Canweeliminatecerticaterevocationlists?InFinancialCryptography(FC),1998.[29]S.Santesson,M.Myers,R.Ankney,A.Malpani,S.Galperin,andC.Adams.X.509InternetPublicKeyInfrastructureOnlineCerticateStatusProtocol-OCSP,June2013.IETFRFC-6960.[30]R.Seggelmann,M.Tuexen,andM.Williams.TransportLayerSecurity(TLS)andDatagramTransportLayerSecurity(DTLS)HeartbeatExtension,Feb.2012.IETFRFC-6520.[31]N.Sullivan.TheHeartbleedAftermath:allCloudFlarecerticatesrevokedandreissued,2014.http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued.[32]N.Sullivan.TheResultsoftheCloudFlareChallenge,2014.http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.[33]TheGnuTLSTransportLayerSecurityLibrary.http://www.gnutls.org.[34]E.Topalovic,B.Saeta,L.-S.Huang,C.Jackson,andD.Boneh.Towardshort-livedcerticates.InWeb2.0Security&Privacy(W2SP),2012.[35]S.Yilek,E.Rescorla,H.Shacham,B.Enright,andS.Savage.Whenprivatekeysarepublic:Resultsfromthe2008DebianOpenSSLvulnerability.InACMInternetMeasurementConference(IMC),2009.[36]P.Zheng.Tradeosincerticaterevocationschemes.InACMComputerCommunicationReview(CCR),2013.[37]ZMapVulnerableHosts.https://zmap.io/heartbleed/vulnerable.html. [4]BotanSSLLibrary.http://botan.randombit.net[5]CERTVulnerabilityNoteVU#720951:OpenSSLTLSheartbeatextensionreadover\rowdisclosessensitiveinformation.http://www.kb.cert.org/vuls/id/720951[6]D.Cooper,S.Santesson,S.Farrell,S.Boeyen,R.Housley,andW.Polk.InternetX.509PublicKeyInfrastructureCerti\fcateandCerti\fcateRevocationList(CRL)Pro\fle.IETFRFC-5280,May2008.[7]R.Duncan.Howcerti\fcaterevocation(doesn't)workinpractice,2013.http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html[8]Z.Durumeric,J.Kasten,M.Bailey,andJ.A.Halderman.AnalysisoftheHTTPScerti\fcateecosystem.InACMInternetMeasurementConference(IMC),2013.[9]Z.Durumeric,J.Kasten,F.Li,J.Amann,J.Beekman,M.Payer,N.Weaver,J.A.Halderman,V.Paxson,andM.Bailey.ThematterofHeartbleed.InACMInternetMeasurementConference(IMC)2014.[10]Z.Durumeric,E.Wustrow,andJ.A.Halderman.ZMap:FastInternet-wideScanningandItsSecurityApplications.InUSENIXSecuritySymposium,2013.[11]P.EckersleyandJ.Burns.AnobservatoryfortheSSLiverse.InDefcon18,2010.https://www.eff.org/files/DefconSSLiverse.pdf[12]F.F.Elwailly,C.Gentry,andZ.Ramzan.QuasiModo:Ecientcerti\fcatevalidationandrevocation.InPublicKeyCryptography(PKC),2004.[13]P.Evans.Heartbleedbug:RCMPaskedRevenueCanadatodelaynewsofSINthefts,2014.http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192[14]Faketimelibrary.http://www.code-wizards.com/projects/libfaketime/[15]B.Grubb.Heartbleeddisclosuretimeline:whoknewwhatandwhen,2014.http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html[16]N.Heninger,Z.Durumeric,E.Wustrow,andJ.A.Halderman.MiningyourPsandQs:Detectionofwidespreadweakkeys.InUSENIXSecuritySymposium,2012.[17]R.Holz,L.Braun,N.Kammenhuber,andG.Carle.TheSSLlandscape{AthoroughanalysisoftheX.509PKIusingactiveandpassivemeasurements.InACMInternetMeasurementConference(IMC),2011.[18]Revocationdoesn'twork.https://www.imperialviolet.org/2011/03/18/revocation.html[19]S.Kornexl,V.Paxson,H.Dreger,A.Feldmann,andR.Sommer.Buildingatimemachineforecientrecordingandretrievalofhigh-volumenetworktrac.InACMInternetMeasurementConference(IMC)2005.[20]MacOSX10.9.2RootCerti\fcates.http://support.apple.com/kb/HT6005[21]S.Micali.NOVOMODO:Scalablecerti\fcatevalidationandsimpli\fedPKImanagement.InResearchWorkshop,2002.[22]P.Mutton.Halfamillionwidelytrustedwebsitesvulnerabletoheartbleedbug,2014.http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html[23]M.NaorandK.Nissim.Certi\fcaterevocationandcerti\fcateupdate.InUSENIXSecuritySymposium1998.[24]OpenSSLProject.https://www.openssl.org[25]T.Ramos.Thelawsofvulnerabilities.InRSAConference,2006.http://www.qualys.com/docs/Laws-Presentation.pdf[26]Rapid7SSLCerti\fcateScans.https://scans.io/study/sonar.ssl[27]E.Rescorla.Securityholes...Whocares?InUSENIXSecuritySymposium,2003.[28]R.L.Rivest.Canweeliminatecerti\fcaterevocationlists?InFinancialCryptography(FC),1998.[29]S.Santesson,M.Myers,R.Ankney,A.Malpani,S.Galperin,andC.Adams.X.509InternetPublicKeyInfrastructureOnlineCerti\fcateStatusProtocol-OCSP,June2013.IETFRFC-6960.[30]R.Seggelmann,M.Tuexen,andM.Williams.TransportLayerSecurity(TLS)andDatagramTransportLayerSecurity(DTLS)HeartbeatExtension,Feb.2012.IETFRFC-6520.[31]N.Sullivan.TheHeartbleedAftermath:allCloudFlarecerti\fcatesrevokedandreissued,2014.http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued[32]N.Sullivan.TheResultsoftheCloudFlareChallenge,2014.http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge[33]TheGnuTLSTransportLayerSecurityLibrary.http://www.gnutls.org[34]E.Topalovic,B.Saeta,L.-S.Huang,C.Jackson,andD.Boneh.Towardshort-livedcerti\fcates.InWeb2.0Security&Privacy(W2SP),2012.[35]S.Yilek,E.Rescorla,H.Shacham,B.Enright,andS.Savage.Whenprivatekeysarepublic:Resultsfromthe2008DebianOpenSSLvulnerability.InACMInternetMeasurementConference(IMC),2009.[36]P.Zheng.Tradeosincerti\fcaterevocationschemes.InACMComputerCommunicationReview(CCR)2013.[37]ZMapVulnerableHosts.https://zmap.io/heartbleed/vulnerable.html 502 mainpotentiallyvulnerabletomaliciousthirdpartiesusingstolenkeystomasqueradeasacompromisedsiteforalongtimetocome.WeanalyzedthesetrendswithvulnerableEVcerti\fcates,aswell,andhavefoundthat,whiletheyex-hibitbettersecuritypractices,theystillremainlargelynotreissued(67%)andnotrevoked(88%)evenweeksafterthevulnerabilitywasmadepublic.Tothebestofourknowledge,ourfocusedstudyoncer-ti\fcatereissuesandrevocationsisthe\frstofitskind.Ourresultsare,insomeways,inlinewithpreviousstudiesontheratesatwhichadministratorspatchedvulnerablesoftware|forinstance,revocationratesfollowedasharpexponentialdrop-oshortlyafterthevulnerabilitywasmadepublic,andtaperedorelativelysoonthereafter.However,unlikewithsoftwarepatches,we\fndthevastmajorityofcerti\fcateshavestillnotbeenreissuedorrevoked.These\fndingsin-dicatequitesimplythatthecurrentpracticesofcerti\fcatemanagementaremisalignedwithwhatisnecessarytoensureasecurePKI.Surveyingsystemadministrators.Tohelpbetterun-derstandthereasonsbehindthelackofpromptcerti\fcatereissuesandrevocations,weinformallysurveyedafewsys-temsadministrators.WeaskedwhatstepstheyhadtakeninresponsetoHeartbleed:didtheypatch,reissue,andre-voke,andifnot,thenwhynot?Wereceivedsevenresponses.Mostreportedpatchingtheirsystems,typicallyindirectre-sponse,butsomereliedonmanagedserversorautomaticup-datesandthereforetooknoHeartbleed-speci\fcsteps.Therewassomevarianceinwhenpatcheswereapplied,duetoacombinationofscheduledrebootsanddelayedresponsesfromsomevendors,butthemajorityofpatcheswereap-pliedquickly.Forrevokingandreissuing,however,wesawawidespec-trumofbehavior.Fewbothrevokedandreissued,butamongthem,theydidsowithin48hours.Manyneitherrevokednorreissued;acommonreasonprovidedwasthatthevulnerablehostswereeithernothostingsensitivedataorwerenotrunningservicesthatweredeemedsensitiveenoughtowarrantit.Alongsimilarreasons,othersreportedhavingreissuedthecerti\fcatebutnotrevoking,explainingthatthecerti\fcateisonlyforinternaluse.Finally,othersreportedthattheydidnotperceivereissuingandrevokingasimpor-tantbecausetheyhadpatchedquicklyafterthebugwaspubliclyannounced(recall,however,thatthevulnerabilitywasintroducedovertwoyearsprior).Ourresultsfromthissmallsurveyshouldbeviewedanecdotally|amoreextensivesurveyoncerti\fcateadmin-istrationisaninterestingareaoffuturework|buttheydoshedlightonsomeoftherootcausesofwhyrevokingandreissuingarenotonequalfootingwithpatching.Whilead-ministratorsalmostuniversallyunderstandtheimportanceofpatchingafteravulnerability,manydonotappreciateorknowabouttheimportanceofrevokingandreissuingcer-ti\fcateswithnewkeys.Ofthoseadministratorswhodoun-derstandtheimportance,evensomeofthemreportedpush-backfromotherswhoperceivedtheprocessasbeingoverlycomplex.Insum,thispointstotheneedforbroadered-ucationonthetreatmentofcerti\fcates,andperhapsmoreassistancefromCAstohelpensurethatalltheprescribedstepsaretaken.Lessonslearned.OurresultssuggestseveralchangestocommonPKIpracticesthatmayimprovesecurityinprac-tice.First,thepracticesoflowrevocationratesandlongexpirationdatesformadangerouscombination.Techniquesthatautomaterevocationwouldvastlyreducetheperiodduringwhichclientsarevulnerabletomaliciousthirdpar-ties.Similarly,settingreasonablyshortcerti\fcateexpira-tiondates(assuggestedbyTopalovicetal.[34])bydefaultwillsigni\fcantlyreducetheperiodduringwhichvulnera-blecerti\fcatesarevalid.Second,mechanismsthatenableasimultaneousreissue-and-revokeforacerti\fcatewillmakeitlesslikelythatinvalidcerti\fcatesareacceptedbyclients.Third,wehavefoundthatmanydomains,whentheyreissueacerti\fcate,continuetooertheold,vulnerablecerti\fcate,aswell.Giventhelargenumberofcerti\fcatesandhostsusingthemperdomaininourdataset,webelieveadminis-tratorswouldbene\ftfromtoolsthatmoreeasilytrackandvalidatethesetofcerti\fcatestheyareusing.Futurework.Thispaperis,webelieve,the\frststepto-wardsunderstandingthemanualprocessofreissuingandrevokingcerti\fcatesinthewakeofavulnerability.Severalinterestingopenproblemsremain.BecauseourdatafocusesontheserverandCAsideofthePKIecosystem,weareunabletodrawanydirectconclusionsastowhatclientsexperience.Ahost-centeredmeasurementstudywould,forinstance,allowustounderstandnotonlywhenrevocationswereaddedtoCRLs,butwhenclientsactuallyreceivedtheCRLs.Moreover,ourstudyopensmanyquestionsastowhythecerti\fcatereissueandrevocationprocessesaresoexten-sivelymismanaged.Ourresultsreinforceprevious\fndingsthatsitepopularityiscorrelatedwithgoodsecurityprac-tices,buteventhehighestrankedAlexawebsitesshowrela-tivelyanemicratesofreissuesandrevocations.Understand-ingtherootcausesisanimportantsteptowardsdevelopingsecureinfrastructuresthateectivelyincorporate(ormiti-gate)theend-useradministrators.Opensource.Ouranalysisreliedonbothexisting,publicsourcesofdataandthosewecollectedourselves.Wemakeallofourdataandouranalysiscodeavailabletotheresearchcommunityathttps://ssl-research.ccs.neu.eduAcknowledgmentsWethanktheanonymousreviewersandourshepherd,Je-lenaMirkovic,fortheirhelpfulcomments.WealsothankRapid7forcollectingtheSSLcerti\fcatedata,theauthorsofZMapforcollectingtheHeartbleedvulnerabilitydata,andformakingitpubliclyavailable.Finally,wethankoursurveyrespondentsfortheircandidresponses.ThisresearchwassupportedinpartbyNSFgrantsCNS-1054233,CNS-1319019,andCNS-1150177,andanAmazonWebServicesinEducationgrant.7.REFERENCES[1]D.E.3rd.TransportLayerSecurity(TLS)Extensions:ExtensionDe\fnitions,Jan.2011.IETFRFC-6066.[2]AlexaTop1MillionDomains.http://s3.amazonaws.com/alexa-static/top-1m.csv.zip[3]E.Barker,W.Barker,W.Burr,W.Polk,andM.Smid.RecommendationforKeyManagement{Part1:General(Revision3),2012.NISTSpecialPublication800-57. 501 curve0+0830,whilethe\Notrevoked(EV)"line\ftsthecurve0+0Overall,EVcerti\fcatesfollowsimilartrendstotheen-tirecorpus,withaslightlyfasterandmorethoroughre-sponse.Interestingly,whileEVcerti\fcateswererevokedmorequickly,theirnon-EVcounterpartscaughtupwithintendays;however,EVcerti\fcateswerereissuedbothmorequicklyandmorethoroughly.Weexpectthattheunder-lyingcauseofthisobservationisaself-selectioneect,i.e.,security-conscioussitesaremorelikelytoseekoutEVcer-ti\fcatesinthe\frstplace.Wedoubtthattheadditionalidentityveri\fcationstepsrequiredtoobtainanEVcerti\f-cateplayalargeroleinthis(slightly)improvedreactiontoHeartbleed.Nonetheless,therearestillmanyvulnerableEVcerti\fcatesthathavenotbeenreissuedtwoweeksaftertheevent(67%)andthathavenotbeenrevokedthreeweeksafter(87%).5.RELATEDWORKOurworkliesattheintersectionoftwogeneralareasofpriorwork:studiesofhoweectivelyadministratorsreacttowidelypublicizedvulnerabilities,andmeasurementsoftheTLS/SSLcerti\fcateecosystem.Tothebestofourknowl-edge,wearethe\frsttolookspeci\fcallyathowpotentiallycompromisedcerti\fcatesarereplacedandrevoked.Vulnerabilitypatching.Therehavebeenseveralstud-iesofhowquicklyandeectivelyadministratorspatchwell-knownsoftwarevulnerabilities.Rescorlameasuredtheresponsetoa2002buerover\rowvulnerabilityinOpenSSL[27],andRamosinvestigatedhowthefractionofvulnerablesystemschangesaftervarioussecurityholesfrom2000{2005hadbeenpublished[25].Bothofthesestudiesfoundanexponentialdecreaseinthefractionofvulnera-blehostsshortlyafterpublicrevelationofthevulnerability,followedbyagradualdeclinethereafter.Interestingly,inRescorla'sstudy,anothersharpdeclineinthenumberofvulnerablehostsoccurredafterthereleaseoftheSlapperwormwhichexploitedthebuerover\row.CloselyrelatedtoourstudyisthatofYileketal.,whomeasuredtheaftermathofa2008vulnerabilityinDebian'sOpenSSLkeygenerationthatresultedinpredictableRSAkeys[35].Whatmakesthisworkparticularlyrelatedtooursisthat\fxingthevulnerabilityrequirednotonlypatch-ingOpenSSL,butalsoreissuingnewkeys.Theyfoundthatthisprocessresultedinagradualdeclineinthefractionofvulnerablehosts,asopposedtothesharpexponentialdecaywhenonlypatchingthesoftwareisnecessary.However,be-causetheirdatacollectiononlybeganseveraldaysafterthevulnerabilitywasreleased,thesharpdeclinemayhaveoc-curredbutgoneunnoticed.OurdatacoversmonthsleadinguptoandweeksafterHeartbleed,allowingusmorecon\f-denceintheinitialdrop-oofvulnerabilities.Ourworkbroadlybuildsonthesepriorstudiesinthatwefocusonadierent,thoughequallyimportant,aspectofthevulnerability\fxingcycle:whenpotentiallycompro-misedcerti\fcateswerenotonlyreplaced,butexplicitlyre-voked.Theconnectionbetweenpatchingsoftware,reissuingnewcerti\fcates,andrevokingoldoneshas,tothebestofourknowledge,notbeenexplicitlystudied.Thoughithadbeenpreviouslybelievedthatrevocationsandreissuesoccursimultaneously[8],ourresultsdemonstratethatrevocationsareoftenosetintime,orsimplyneveroccuratall.Thecerti\fcateecosystem.Infocusingonvulnerabil-ity\fxingasitpertainstocerti\fcates,ourworkisalsore-latedtorecentstudiesofthecerti\fcateecosystematlarge.Holzetal.[17]performedpassiveandactivemeasurementsonHTTPScerti\fcatesfromtheAlexaTop-1Mdomains.Durumericetal.[8]performedactivemeasurementsusingZMap[10]thatyieldednearly40morecerti\fcatesthanpriorstudies[11,16,17].Broadly,thesestudiesexposedsev-eralgrimpropertiesoftoday'scerti\fcateecosystem,includ-ingweakerkeylengthsthansuggestedbyNIST[3],longercerti\fcatechainsthannecessary,invalidsubjectnames,andsoon.Comparingthesestudiestooneanother,itappearsthattheAlexaTop-1Msites|thoughstillfarfromperfect|domanagecerti\fcatesmoreappropriatelyonaverage,withaslightweighttohigher-rankeddomains.LikeHolzetal.,ourworkfocusessolelyontheAlexaTop-1M;weexpectthatexpandingtomoredomainswould,asDurumericetal.found[8],resultinlesseectivecerti\fcatemanagement,thoughthisisanareaoffuturework.Whilethesestudieshaveshedconsiderablelightonthecerti\fcateecosystem(andfoundittobesurprisinglybleak),ourstudyisthe\frsttoexplicitlyconsiderreissuesandre-vocations,particularlyinthewakeofawidespreadvulner-ability.Durumericetal.[8]brie\ryinvestigatedcerti\fcaterevocations,andfoundthatamere2.5%ofthecerti\fcatestheyencounteredwereeverrevoked|ofthese,themajoritygavenoreasoncode.ByusingHeartbleedasawide-scalecorrelatedevent,wecomplementthispriorworkbyinvesti-gatingwhichcerti\fcatesshouldhavebeenrevoked,andwhentherevocationsshouldhavetakenplace.Inthecontextofthecerti\fcateecosystem,webelievethistobenovel.Heartbleed.TherecentnatureoftheHeartbleedvulnera-bilitymeanslittlescienti\fcworkhasyettocomeoutstudy-ingthevulnerabilityitselfandthecommunity'sreactiontoit.Themostcloselyrelatedwork|astudyperformedcon-currentlywithourown|presentsacomprehensivestudyofthebreadthofthevulnerability,theclean-up,andsurveysofadministratorswhofailedtopatchtheirservers[9].In-terestingly,thestudyleverageshistoricpackettraces[19]tolookforevidenceofHeartbleedexploitationbeforetheannouncementand\fndsnoevidencethatthevulnerabil-itywasexploitedbeforehand.Thisstudyandourownarecomplementary|theirsbrie\ryexaminesSSLcerti\fcatereis-suesandrevocations,andtheresultsoftheiranalysisareinagreementwithours.6.CONCLUDINGDISCUSSIONInthispaper,westudyhowSSLcerti\fcatesarereis-suedandrevokedinresponsetoawidespreadvulnerabil-ity,Heartbleed,thatenabledundetectablekeycompromise.Weconductedlarge-scalemeasurementsanddevelopednewmethodologiesandheuristicstodeterminehowthemostpopular1millionwebsitesreactedtothisvulnerabilityintermsofcerti\fcatemanagement,andhowthisimpactsse-curityforclientsthatusethem.Wefoundthatthevastmajorityofvulnerablecerti\fcateshavenotbeenreissued;further,ofthosedomainsthatreis-suedcerti\fcatesinresponsetoHeartbleed,60%donotre-voketheirvulnerablecerti\fcates|iftheydonoteventuallybecomerevoked,20%ofthosecerti\fcateswillremainvalid(notexpire)fortwoormoreyears.Therami\fcationsofthis\fndingsarealarming:modernWebbrowserswillre- 500 Figure17:CumulativedistributionofthetimebetweenwhenwedownloadedtheCRLs(6:00pmEST)andthetimeofissuerecordedintheCRL(andsignedbytheCA).MostCAshaveachancetorevokecerti\fcatesatleastonceaday,as95%oftheCAsupdatedtheirCRLswithin24hoursofwhenwedownloadedthem.duetoconcernsthattheprivatekeymayhavebeencompro-mised,thisincreaseisnotunexpected.However,itstillap-pearsthatvastmajorityofCRLentriesaremis-coded.PriorworkhasalsonotedthatCRLsareusuallymis-coded[8],al-thoughthesnapshotwepresentinFigure16isevenmorestark,giventhatweknowHeartbleed-inducedrevocationsshouldhavebeenrevokedwithareasoncodeof\KeyCom-promise".CRLupdateintervals.Thegenerallackofsiteadmin-istratorsrevokingcerti\fcateswhentheyshould(e.g.,afterHeartbleed)couldbeattributedtotheCAsonlyupdatingtheirCRLsonverylongtimescales.Forexample,onerea-sonforthiswouldbeifCAskepttheirprivatekeysonoinehoststhatwouldhavetobepoweredoneverytimetosignCRLs.AnotherreasonwouldbesoclientsdonotneedtodownloadnewCRLsveryoften.Figure17indicatesthatneitherofthesereasonsaretrue.This\fgureshowsthecumulativedistributionofthedier-encebetweenthetimewedownloadedaCRLandthetimeitwasissued.Weseethat95%ofCAssignedafreshCRLwithin24hoursof6:00pmEST(whenwedownloadedtheCRLs).WhenCAssignafreshCRL,theyhavetheopportu-nitytorevokemorecerti\fcates.TheseresultssuggestthatCAscouldrevokecerti\fcatesasoftenaseveryfewhours.Thus,anydelaysintherevocationofcerti\fcatesareduetohumansintheloop:eithercerti\fcateownerswhoarenotre-portingpotentiallycompromisedkeys,orCApersonnelwhoarenotmanuallyaddingnewentriestoCRLsbeforetheyaresignedandshipped.Anotherimportantfactorinthecontextofclientimpactiswhen(andwhether)clientsobtainedthelistofrevocations.Unfortunately,weareunabletoanswerthisquestiongivenourdatacollectionmethodology(itwouldrequireinstru-mentingend-hoststoseewhenpreciselytheirbrowsersandoperatingsystemsfetchedCRLsorissuedOCSPqueries).Suchastudyisaninterestingareaoffuturework.However,thereisoneaspectofthisproblemtowhichwemaybeabletolendinsight;itwasrecentlyreportedthatmanybrowsersdonotevenbothertocheckcerti\fcates'CRLs,withtheexceptionofextendedvalidation(EV)certi\fcates[7].WenextturntoananalysisofhowtheseEVcerti\fcatesarereissuedandrevokedincomparisontotheentirecorpusofcerti\fcates. Figure18:Therateatwhichvulnerablecerti\fcateswerereissuedandrevokedafterHeartbleed'sannouncement.(Notethatthe-axisdoesnotbeginatzero.)4.5ExtendedValidationCerticatesRecallthatoneofthemajorrolesofaCAistovalidatetheidentityofthesubjectsforwhomitissuescerti\fcates.ExtendedValidation(EV)certi\fcatesareameansbywhichCAscanexpressthatthisidentity-veri\fcationprocesshasfollowedasetof(presumablystringent)establishedcriteria.EVcerti\fcatesarestandardX.509certi\fcates,andoernoadditionalsecurityperse,buttherationaleisthatwithamorethoroughveri\fcationprocessbytheCAs,thesecer-ti\fcatescanbemorereadilyveri\fedandtrustedbyusers.Thatsaid,thereremainsconcernastowhetherornotthistrustiswell-placed.WeclosethissectionbyinvestigatingtherateatwhichvulnerableEVcerti\fcateswererevokedandreissuedascomparedtotheentireaggregateofcerti\f-cates.Figure18showsthefractionofvulnerablecerti\fcatesthathaveyettobereissuedorrevokedovertime.Inthis\fgure,theinitialvaluesdonotallstartat1.0forreissues:thisisbecause,withcoarsegranularityofourdata,wecannotbecertainwhethersomecerti\fcateswerereissuedimmediatelyafterthescanonApril7,2014,immediatelybeforethescanonApril10,2014,orinbetween.Wethereforeprovidethemostoptimisticpossibility:ifweknowacerti\fcatewasreis-suedbetweendaysand,thenweplotitashavingbeenreissuedonday.ThecoarsegranularityofthescansalsoexplainswhythereissuelinesdonotadvancebeyondApril21.Regardless,onetrendthatremainsclearisthatsitesaremoreproactiveinreissuingnewcerti\fcatesthaninrevokingoldones.Thiscontradictspriorassumptionsthatrevoca-tionsandreissuesoccursimultaneously[8].Indeed,itisnotyetcleartouswhyasitewouldreissueavulnerablecerti\f-catewithoutrevokingit,butthesetrendsdemonstratethatitisacommonpractice,evenforthosewithEVcerti\fcates.This\fgureshowsagenerallybleakviewofhowthoroughlysitesrevokeandreissuetheircerti\fcateswhennecessary.Notethatthe-axisbeginsat0.65:threeweeksaftertherevelationofHeartbleed,over87%ofallcerti\fcateswefoundtobevulnerablehaveyettoberevoked,andover73%ofthemhaveyettobereissued.Ofthosethatdidrevoketheircerti\fcates,we\fndthatthespeedatwhichtheydidsomatchesthatofearlierstudiesonthespreadofpatches[25,27]:thereisanexponentialdrop-o,followedbyagradualdecline.Speci\fcally,the\Notrevoked(all)"line\ftsthe ManybrowserspresentEVcerti\fcateswithagreenboxintheaddressbar,whilenon-EVcerti\fcatesareoftenjustrepresentedwithagraylockicon. 499 Figure14:Cumulativedistributionofthenumberofdaysbetweenwhenacerti\fcateisreissuedandwhenitisrevoked.Positivevaluesindicatethecerti\fcateisreissuedbeforeitisrevoked;negativevaluesindicatetheopposite.sues,i.e.,siteswithhighrankareslightlymorelikelytorevoke.Ideally,thetwolinesinFigure10shouldbecoin-cident,i.e.,allsitesreissuingcerti\fcatesduetoHeartbleedshouldalsohaverevokedtheretiredcerti\fcates(theonlyexceptiontothisruleisiftheretiredcerti\fcatewasabouttoexpireanyway,butweaccountforthisinourde\fnitionsofHeartbleed-inducedreissuesandrevocations).Thisresulthighlightsaseriousgapinsecuritybest-practicesacrossallofthesitesintheAlexaTop-1M.Finally,weexaminetherevocationspeed,orthenumberofdaysbetweenwhenacerti\fcateisreissuedanditisrevoked.Figure14presentsthecumulativedistributionoftherevoca-tionspeedforbothHeartbleed-inducedandnon-Heartbleed-inducedrevocations.Tomakethedistributionscomparable,weonlylookatdierencesbetween-10and10days(recallthatHeartbleed-inducedreissuesandrevocationscanonlyoccurafterApril7,2014,limitingthatdistribution).Weob-servethatHeartbleed-inducedrevocationsappeartohappenslightlymorequickly,thoughtnottotheextentonemightexpect,giventheurgentnatureofthevulnerability.Wealsoobservethatrevocationalmostalwayshappensafterreissue,whichislikelyexplainedbythemoremanualprocessthatrevocationoftenentails.Thisresultcontradictspreviousassumptions[8]thatrevocationsandreissuesoccursimulta-neously.Finally,itisworthnotingthatthegranularityofourscansmakesgeneralizingtheseresultsdicult,sincewecannottellexactlywhenacerti\fcatewasreissued;however,thetwodistributionsarecomparabletoeachother.Expirationsarenotenough.Todemonstratehowlongtheeectsofthisvulnerabilitycouldbefeltifsitesdonotrevoketheirvulnerablecerti\fcates,weanalyzecerti\fcatesthat,bytheendofourdatacollection,werefoundtobevulnerable(andalive)whenHeartbleedwasannounced,reis-suedthereafter,butneverrevoked.Figure15presentsthedistributionofhowmuchlongersuchcerti\fcateswillcon-tinuetoliveiftheirsitesdonotrevokethem.NotethatthisCDFappearstobepiecewiselinearatintervalsof1year:thisisbecauseexpirationdatesaretypicallysetatintervalsofayear|thatthedistributionisroughlyuni-formwithintheseyearintervalsindicatesthatcerti\fcatesareissuedmostlyuniformlythroughouttheyear.This\fgureshowsthat,withoutrevoking,thevulnerabilityintroducedin2014couldaectclientsthrough2020.Weconcludefromthisthat,giventhemeagerratesofrevocation,itwouldbehelpfulforCAstoshifttoshorterexpirytimesintheircer-ti\fcates. Figure15:Thedistributionoftime-until-expiryforvul-nerable,reissued,butnotrevokedcerti\fcates.Ifthesecer-ti\fcatesareneverrevoked,this\fgureshowshowlongtheywillpersist.CRLreasoncodes.TheCRLspeci\fcationallowsthemaintainersofCRLstoincludeareasonforwhyacerti\fcatewasrevokedalongwiththerevocationintheformofasmallsetofreasoncodes.Thereasoncodeisoptional,andtheoptionsrangefrom\Unspeci\fed"to\KeyCompromised"to\PrivilegeWithdrawn"[6].NotethattheCRLreasoncodesarenotnecessarilyveri\fedbythecerti\fcateauthorities,andtheymaybeincorrect.Forallofthecerti\fcatesthatweobservedtoberevoked,weextractedthereasoncode(ifoneexisted);wepresentthedistributionofthesereasoncodesforbothHeartbleed-inducedandnon-Heartbleed-inducedcerti\fcatereissuesinFigure16.Notethelog-scaleonthe-axis.Wemaketwokeyobservations.First,weseeasigni\f-cantincreaseintheprobabilityofareasoncodebeingpro-videdatallforHeartbleed-inducedrevocations:only19.2%ofnon-Heartbleed-inducedrevocationsprovideanyreasoncode(includingthe\Unspeci\fed"reasoncode),while27.1%onHeartbleed-inducedrevocationsprovideareasoncode.Second,weobservealargeincreaseinthe\KeyCompro-mise"reasoncode(from0.40%to1.18%ofallCRLentries);giventhatHeartbleedcerti\fcatesarelikelybeingreissued Figure16:DistributionofCRLreasoncodesgivenforbothHeartbleed-inducedandnon-Heartbleed-inducedcer-ti\fcatereissues.Notethelogscaleonthe-axis.Weob-serveanincreaseinreasonsforrevocationsbeinggivenforHeartbleed-inducedreissues,especiallyforthe\KeyCom-promised"reasoncode. 498 Figure12:Numberofdomainsthatrevokedatleastonecerti\fcateovertimeforthemonthbeforeandafterHeart-bleed.atleastpartiallyduetosystemadministratorsre-usingthesameCerti\fcateSigningRequest(CSR)whenrequestingthenewcerti\fcatefromtheirCA.InthewakeofHeartbleed,weobserveasigni\fcantdropinthefrequencyofreissuingcerti\fcateswiththesamekey;thisresultindicatesthatsitesaregeneratinganewkeypairmorefrequently.However,ifwefocusontheHeartbleed-inducedreissues,weobservethatanon-trivialfraction(4.1%)ofthesecerti\fcatesarereissuedwiththesamekey(therebydefeatingthepurposeofreissuingthecerti\fcate).Infact,weobserveatotalof912suchcerti\fcatescomingfrom747distinctAlexadomains.4.4CerticateRevocationWenowturntoinvestigatingcerti\fcaterevocationbefore,during,andaftertherevelationofHeartbleed.Recallthatitiscriticalthatavulnerablecerti\fcateberevoked:evenifasitereissuesanewcerti\fcate,ifanattackergainedaccesstothevulnerablecerti\fcate'sprivatekey,thenthatattackerwillbeabletoimpersonatetheowneruntileitherthecerti\f-cateexpiresorisrevoked.Westudybothrevocationandexpirationhere,andcorrelatethemwithratesofreissue.Contrarytostandardassumptions,we\fndthatrevocationandreissuesdonothappensimultaneously.Overallrevocationrates.Figure5showsthenumberofcerti\fcaterevocationsovertime;asnotedabove,theav-eragejumpsfrom29certi\fcatesrevokedperdayto1,414post-Heartbleed.However,thespikeonApril16,2014issomewhatmisleading,asitwaslargelyduetothemass-revocationof19,384CloudFlarecerti\fcatesoftheformss-lXXXXX.cloudflare.com[31].Tomitigatethisissue,weplotinFigure12thenumberofuniquedomainsthatrevokedatleastonecerti\fcateovertime.Wemakethreeinterestingobservations:First,themagnitudeoftheHeartbleed-inducedspikeisgreatlyre-duced,butwestillobserveanup-to-40-foldincreaseinthenumberofdomainsissuingrevocationsperday.Second,weobservethatthenumberofdomainsissuingrevocationsfallsclosertoitspre-HeartbleedlevelbyApril28th,suggestingthatmostofthedomainsthatwillrevoketheircerti\fcateindirectresponsetoHeartbleedalreadyhave. Wenotethatrevocationaloneisofteninsucienttopre-ventimpersonation,asanattackermaybeabletopreventtheclientfromaccessingtheCRL.Inthiscase,manywebbrowsersstillacceptthecerti\fcateasvalid[18]. Figure13:Fractionofreissuedcerti\fcatesthatarerevokedwithintwoweeksofbeingretired.Asigni\fcantincreaseinrevocationprobabilityisobservedafterHeartbleed.Third,weobservethree\dips"inthepost-Heartbleedre-vocationrateonApril13th,April20th,andApril27th|allweekends,indicatingthatfarfewerrevocationsoccurontheweekendrelativetotherestoftheweek.Thisperiodicitycanalsobe(less-easily)observedinthepre-Heartbleedtimeframe.Itisreasonabletoassumerevocationsdiponweek-endsbecausehumansareinvolvedintherevocationprocess,howeveritisnotclearwhoisresponsibleforthedelays:isitsiteadministratorsorCRLmaintainersatCAs(orboth)whoarenotworkingonweekends?Regardlessofwhoisre-sponsible,theseweekenddelaysareproblematicforonlinesecurity,sincevulnerabilities(andtheattackerswhoexploitthem)donottakeweekendso.Revocationofreissuedcerti\fcates.Wenowexaminethefractionofretiredcerti\fcates(i.e.,oldcerti\fcatesthathavebeensupersededbyareissuedcert)thatarerevokedwithintwoweeksofbeingretired.Figure13plotsthisfrac-tionovertime.Forexample,thepointonMarch3,2014showsthat2.2%ofthecerti\fcatesretiredonthatdaywererevokedbyMarch17,2014.Overall,weseethatbetween2%and3%ofcerti\fcatesbeingretiredareeventuallyre-voked.ThisprobabilityincreasesbyanorderofmagnitudeafterHeartbleed,withalmost40%ofretiredcerti\fcatesbe-ingrevokedquicklyafterwards.Thisresultsuggeststhatthereasonmanycerti\fcateswerereissuedjustafterApril7wasbecauseofHeartbleed,sincetheretiredcerti\fcateswerealsorevoked.Thiscontrastswithcerti\fcatesthatarereis-suedduetoimpendingexpiration,inwhichcasetheretiredcerti\fcatedoesnotneedtoberevoked.Heartbleed-inducedrevocations.Similartocerti\fcatereissues,notallcerti\fcaterevocationsafterApril7,2014arenecessarilyduetoHeartbleed(e.g.,thesitecouldhaveexposedtheirprivatekeyduetoadierentvulnerability).Wethereforede\fneaHeartbleed-inducedrevocationtobeacerti\fcaterevocationwherethecerti\fcatehadaHeartbleed-inducedreissue(see4.3).Overall,weobserve14,726Heartbleed-inducedrevoca-tions;thiscorrespondsto40%ofallHeartbleed-inducedreissuedcerti\fcates.Thus,60%ofallcerti\fcatesthatwerereissuedduetoHeartbleedwerenotrevoked,implyingthat,ifthecerti\fcate'sprivatekeywasactuallystolen,theat-tackerwouldbeabletoimpersonatethevictimwithoutanyclientsbeingabletodetectit.Figure10presentsthefractionofsitesthathaveatleastoneHeartbleed-inducedcerti\fcaterevocation,asafunctionofAlexarank.Revocationsfollowasimilartrendtoreis- 497 Figure9:NumberofHeartbleed-inducedandnon-Heartbleed-inducedcerti\fcatereissuesovertime.3.Wedonotobservemorethantwootherreissuesforcerti\fcateswiththatCommonNameinthetimebe-foreHeartbleed.Thisimpliesthatcerti\fcateswiththatnamedonottypicallygetreissuedmorethanonceevery3months(asfaraswecanobservefromourdataset),asourdatasetbeginsonOctober30,2013(slightlyover5monthsbeforetheannouncementoftheHeartbleedvulnerability).Thus,fortheexamplesshownsofar,wewouldnothaveconsideredthereissueoftheretiredcerti\fcateinFigure4tobeHeartbleed-induced(asithappenedbeforeHeartbleed),andwewouldalsohavenotconsideredanyofGoogle'sreis-suesinFigure8tobeHeartbleed-induced(becauseweob-servedatotalof12reissuesofcerti\fcateswiththatCom-monNamepriortoHeartbleed).ItisimportanttonotethatHeartbleed-inducedreissuescanhappenforcerti\fcatesthatweneverobservedonavulnerablehost,eitherbecausewefalselydeclaredthecerti\fcatetonotbevulnerable(see3.4)orbecausethesitereissuedoutofanabundanceofcaution,eventhoughtheywerenotactuallyvulnerable.Giventhesethreeconditions,weexpectthatourestimateofHeartbleed-inducedreissuesisastrictlowerboundHeartbleed-inducedreissues.Overall,weobserve36,781certi\fcatereissuesthatwedeclaretobeHeartbleed-inducedinthethreeweeksfollowingtheannouncement;thisis8.9%ofallcerti\fcatesthatwerealiveatthetimeHeart-bleedwasannounced.InFigure9,wepresentthenumberofHeartbleed-inducedandnon-Heartbleed-inducedcerti\f-catereissuesovertime.Weobservethatthenumberofnon-Heartbleed-inducedreissuesisrelativelystable|evenafterHeartbleed|suggestingourdesignationofHeartbleed-inducedreissuesislikelyaccurate.Theslightspikeinnon-Heartbleed-inducedreissuesafterApril7mayre\rectthatourapproachyieldsaconservativeunderestimateofthenumberofHeartbleed-inducedreissues.Next,weexaminethefractionofsitesthathaveatleastoneHeartbleed-inducedcerti\fcatereissue,asafunctionofAlexarank.Figure10presentstheseresults;wecanobserveastrongcorrelationwithAlexarank.Higher-rankedsitesaremuchmorelikelytohavereissuedatleastonecerti\fcateduetoHeartbleed(eventhoughtheyareonlyslightlymorelikelytohavebeenvulnerable,asobservedinFigure6).Thisresultcomplementspreviousstudies'\fndingsthatmorepopularwebsitesoftenexhibitmoresoundadministrativepractices[8,17].Vulnerablecerti\fcates.Next,weexaminethecerti\fcatesthatshouldhavebeenreissued(regardlessofwhetherthey Figure10:FractionofdomainsthathaveatleastoneHeartbleed-inducedreissue/revocationasafunctionofAlexarank.actuallywere);werefertothesecerti\fcatesasvulnerablecerti\fcates.Wedeclareacerti\fcatetobevulnerableifthefollowingthreeconditionshold:1.ItsdateofbirthwasbeforeApril7,2014,2.IthasnotexpiredasofApril30,and3.Itwasadvertisedbyatleastonehostthatwas(oris)vulnerabletoHeartbleed.Inotherwords,thesecerti\fcatesarevulnerablebecausetheirassociatedprivatekeyscouldhavebeenstolenbyat-tackers.Overall,we\fnd107,712vulnerablecerti\fcates.Ofthese,weobservethatonly28,652(26.7%)havebeenreissuedasofApril30.Theremaining79,060(73.3%)vulnerablecerti\f-catesthathavenotbeenreissuedcomefrom55,086dier-entAlexaTop-1Mdomains.Thus,thevastmajorityofSSLcerti\fcatesthatwerepotentiallyexposedbytheHeartbleedbugremainin-useoverthreeweeksafterthevulnerabilitywasannounced.Reissueswithsamekey.Systemadministratorswhobe-lievethattheirSSLprivatekeymayhavebeencompromisedshouldgenerateanewpublic/privatekeypairwhenreissu-ingtheircerti\fcate.Wenowexaminehowfrequentlythisisdone,bothinthecaseofnormalcerti\fcatereissuesandforHeartbleed-inducedreissues.We\frstobservethat,ingeneral,reissuingacerti\fcateusingthesamepublic/privatekeypairisquitecommon.Figure11presentsthefractionofallnewcerti\fcatesthatusethesamekeyastheonetheyarereplacing;upto53%ofallreissuedcerti\fcatesdoso.Thishighlevelofkeyreuseis Figure11:Fractionofnewcerti\fcatesthatusethesamepublic/privatekeypairasthekeytheyarereplacing. 496 Figure6:FractionofdomainsthathaveatleastonehostthatwasevervulnerabletoHeartbleedasafunctionofAlexarank,aswellasdomainsthatcontinuedtobevulnerableattheendofthestudy.InFigure5,wepresentthenumberofcerti\fcatebirths,deaths,reissues,andrevocationsperdayovertime.Thenumberofbirthsisalmostalwayslargerthanthenumberofdeaths,meaningthatthetotalnumberofcerti\fcatesin-the-wildisincreasingovertime.Furthermore,weobservealargespikeinallfoureventsinthewakeofHeartbleed,withanespeciallylargeincreaseinthenumberofrevocations.Forexample,weseeanaverageof29certi\fcaterevocationsperdaybeforeHeartbleed;afterHeartbleed,thisjumpstoanaverageof1,414revocationsperday.4.2HeartbleedPrevalenceWepresentabriefanalysisonthenumberofcerti\fcateshostedbymachinesthatwereevervulnerabletoHeartbleed.Ofthe428,552leafcerti\fcatesthatwerestillaliveonthelastscan,weobserve122,832(28.6%)ofthemadvertisedbyahostthatwaslikelyvulnerabletoHeartbleedatsomepointintime.Thesecerti\fcatesarefor117,112uniqueCommonNamesandcomefrom70,875uniqueAlexaTop-1Mdomains.Ofthesecerti\fcates,11,915certi\fcates(from10,366uniquedomains)wereonhoststhatwerestillvul-nerableatthetimeofourcrawl(April30,2014,overthreeweeksaftertheannouncementofHeartbleed).Thisresultdemonstratesthateveninthewakeofawell-publicized,se-veresecurityvulnerability,around10%ofvulnerablesiteshavenotyetaddressedtheunderlyingissuethreeweeksaf-terthefact.InFigure6,wepresentthefractionofdomainsthathaveatleastoneSSLhostthatwasevervulnerabletoHeart-bleed(orstillwasasofApril30,2014).Wecanobserveaslightincreaseinlikelihoodofeverbeingvulnerableforthemostpopularsites,butthedistributionquicklystabilizes.Again,theincreasedlikelihoodofbeingvulnerableislikelybecausethesesiteshavelargernumbersofhosts.ThistrendismirroredinthehoststhatarestillvulnerableonApril30,2014.4.3CerticateReissuesWenowexaminethereissuingofSSLcerti\fcatesinthewakeofHeartbleed.NotallSSLcerti\fcatereissuesthatweobservefollowingHeartbleed'sannouncementareduetotheHeartbleedvulnerability.Inparticular,reissuescanhappen Thisfractionissomewhathigherthanthe17%ofsitesthatNetcraftfoundtobevulnerable[22],butwenotethatwearemeasuringcerti\fcatesfromtheAlexaTop-1MwhileNetcraftismeasuringallSSL-enabledsitesontheInternet. Figure7:Cumulativedistributionofthenumberofdaysbeforeexpirationthatcerti\fcatesarereissued.foratleasttwootherreasons:First,theoldcerti\fcatecouldbeexpiringsoon,andtheorganizationreissuesthecerti\fcateasitwouldnormally.InFigure7,wepresentthecumulativedistributionofthenumberofdaysbeforeexpirythatweobservecerti\fcatesbeingreissued.Weseethatover50%ofcerti\fcatesarereissuedwithin60daysoftheirexpirydate(withalongtail).Second,asitemayperiodicallyreissuecerti\fcatesasamatterofpolicy(eveniftheoldcerti\fcatewasnotnearexpiration).Forexample,Figure8presentsagraphshowingtheprevalenceofthewww.google.comcerti\fcatesovertime,witheachlinerepresentingthenumberofhostsadvertisingadierentcerti\fcate.Googletypicallyreissuesthiscerti\fcateeverytwoweeks,despitethefactthatthecerti\fcatesaretypicallyvalidformorethanthreemonths.Inthisstudy,wewouldliketobeabletodistinguishHeartbleed-inducedcerti\fcatereissuefromareissuethatwouldotherwisehavehappenedanyway.Wede\fnethereis-sueofacerti\fcatetobeHeartbleed-inducedifallthreeofthefollowingconditionshold:1.ThedateofreissuewasonorafterApril7,2014(thedayHeartbleedwasannounced).WenotethatasmallnumberoforganizationswereinformedaboutHeart-bleedbeforethepublicannouncement;asthislistisnotfullyknown,wedonotconsiderthemseparately.2.Thecerti\fcatethatisreissuedwasgoingtoexpiremorethan60daysafterthereissue.Thiseliminatescerti\fcatesthatwereverylikelytobereissuedinthenearfutureanyway. Figure8:Exampleofcerti\fcatebirthanddeathforcer-ti\fcatesforwww.google.com.Googlereissuesthiscerti\fcateaboutonceeverytwoweeks(eachimpulserepresentsadif-ferentcerti\fcate). 495 Figure4:Exampleoflifetime,forcerti\fcatesform.scotrail.co.uk.Allhostsexceptoneswitchtoanewcerti\fcateafterFebruary10,2014.-DOPENSSL_NO_HEARTBEATSorwhodowngradedtheirOpenSSLimplementationtoversion0.9.8wouldhavetheirhostsincorrectly\raggedasneverhavingbeenvul-nerable.Wearesimilarlyunabletodeterminethefractionofhostsinourdatasetthatthisappliesto;wesuspectitissmallaswell,asmanyoperatingsystemsvendors(e.g.,Ubuntu)pushedoutaHeartbleedsecurityupdatethatisusuallyautomaticallyapplied.Veri\fcationofvulnerabilitydetection.WeperformedabriefexperimenttoestimatethefalsenegativerateofourHeartbleedvulnerabilitydetectionmechanism.WeuseavulnerabilityscanoftheAlexaTop-1MdomainsconductedbytheauthorsofZMap[37]onApril9,2014,whichcon-tainsalistofhoststheycon\frmedtobevulnerabletoHeart-bleed.InourscanonApril28,2014(19daysaftertheZMapscan),wefoundthat8,651ofthesehostswerestilladver-tisingacerti\fcatewiththesameCommonName.Ofthese,1,737(20.1%)werestillvulnerable;theremainderwerelikelypatchedinthemeantime.Usingour\fngerprintingmethod-ologyabove,wewouldhaveinferredthat8,483(98.1%)ofthehostswererunningaversionofOpenSSLthatwasvul-nerableatsomepoint(despitethefactthatthemajorityofthesewereactuallynolongervulnerable).Thishighrateofrecall,coupledwiththeunlikelihoodoffalsenegatives,leadsustoconcludethatourmethodologyforinferringpreviousvulnerabilityishighlyaccurate.4.ANALYSISWenowturntoexaminethecollectedSSLcerti\fcatedata.We\frstpresentafewde\fnitionsweuseintheanalysisbe-foreproceeding.4.1DenitionsWeareconcernedwiththeevolutionofSSLcerti\fcates(i.e.,whenarenewcerti\fcatescreated,oldonesretired,etc.).Toaidinunderstandingthisevolution,wede\fnethefollowingnotions:Certi\fcatebirth:Wede\fnethebirthofanSSLcerti\f-catetobethedateofthe\frstscanwhereweobservedanyhostadvertisingthatcerti\fcate.Forhoststhatweobservedadvertisingacerti\fcateonthevery\frstscan(October30,2013),wede\fnethesecerti\fcatestohavenobirthdate,sincewedonotknowwhentheywere\frstadvertised. Ofcourse,somecerti\fcatesmayhavebeenmissedonthe\frstscanifthehostwasdown;thesecerti\fcateswouldlikely Figure5:Numberofcerti\fcatebirth,deaths,reissues,andrevocationsovertime.Notethelogscaleonthe-axis.Certi\fcatedeath:De\fningthedeathofacerti\fcateismorecomplicated,asweobserveanumberofinstanceswheremanyhostsadvertiseagivencerti\fcate,andthenallbutoneorafewofthehostsswitchovertoanewcerti\fcate(presumably,thesiteintendedtoretiretheoldcerti\fcate,butmissedsomeofthehosts).Tohandlethesecases,wecalculatethemaximumnumberofhoststhatwereeverad-vertisingeachcerti\fcate.Wethende\fnethedeathofanSSLcerti\fcatetobethelastdatethatthenumberofhostsadvertisingthecerti\fcatewasabove10%ofthatcerti\fcate'smaximum.The10%thresholdpreventsusfromincorrectlyclassifyingcerti\fcatesthatarestillwidelyavailableasdead,evenifthecerti\fcatehasbeenreissued.Notethatcerti\f-catesmaynothaveadeathdateifthecerti\fcateisstilladvertisedbymanyIPaddressesonourlastscan.Anexampleofcerti\fcatelifetimeisshowninFigure4,forthecerti\fcatesform.scotrail.co.uk.Allhostsexceptoneswitchtoanewcerti\fcateafterFebruary10,2014;thislonehost\fnallyswitchesonApril28,2014.Inthiscase,wewouldconsiderthedeathdateoftheoldcerti\fcatetobeFebruary10,2014(asindicatedinthe\fgure),andwewouldconsiderthenewcerti\fcatetohavenodeathdate.Basedonthesede\fnitions,wecannowde\fnethenotionofacerti\fcatereissueandrevocation:Certi\fcatereissue:Weconsideracerti\fcatetobereissuedifthefollowingthreeconditionshold:(a)weobservethecerti\fcatedie,and(b)weobserveanewcerti\fcateforthesameCommonNamebornduringascanwithin10daysofthecerti\fcate'sdeath,and(c)weobserveatleastoneIPaddressswitchfromtheoldcerti\fcatetothenewbetweenthetwoscans.Wede\fnethedateofthecerti\fcatereissuetobethedateofthecerti\fcate'sdeath.Forthesakeofclarity,werefertotheoldcerti\fcatethatwasreplacedastheretiredcerti\fcateCerti\fcaterevocation:Weconsideracerti\fcatetobere-vokedifthecerti\fcate'sserialnumberappearsinanyofthecerti\fcate'sCRLs.ThedateofrevocationisprovidedintheCRLentry. showupinthesecondscan(andwouldhaveabirthdateofthenextscan).ThisisthecauseofthesmallspikeinbirthsonNovember2,2013inFigure5.Wechoose10daysasathresholdasthisisthemaximumdierencebetweentwosuccessivescans. 494 Figure2:Fractionofnewcerti\fcatesthatwecouldver-ifyforprovided(February5,2014andbefore)andrecon-structed(postFebruary5,2014)chains.certi\fcateshasavalidchain;werefertothecollectionofallCAcerti\fcatesonthesechains(notincludingtheleafcerti\fcates)astheCASet;theCASetcontains910uniquecerti\fcates.TheLeafSetcerti\fcatescover166,124(16.6%)oftheAlexaTop-1Mdomains.Thisisthesetofcerti\fcates(andcerti\fcatechains)thatweuseintheremainderofthepaper.Validationofreconstruction.Finally,webrie\ryvalidateourcerti\fcatechainreconstructionmechanismonthepost-February5,2014certi\fcates.InFigure2,wepresentthefractionofnewcerti\fcatesdiscoveredovertimeforwhichwewereableto\fndavalidchain,bothforthepre-andpost-February5,2014data.Wemaketwointerestingobserva-tions:First,thefractionofcerti\fcatesthatwecouldvalidateisrelativelystableat2%bothbeforeandaftertheswitchtousingreconstructedchains,suggestingthatourmechanismforchainreconstructiondoesnotmissmanychains.Sec-ond,weseealargeuptickinthefractionofnewly-appearingcerti\fcatesthatwecouldvalidateafterHeartbleed;aswediscussinthefollowingsection,thisisduetomanycerti\f-catesbeingreissuedinthewakeofHeartbleed.3.3CollectingCRLsTodetermineifandwhencerti\fcateswererevoked,weextractedtheCRLURLsoutofallLeafSetcerti\fcates.WeignoredinvalidURLs,includingldap://protocolsandnon-routableaddresses.Wefound626,659(99.7%)ofthesecer-ti\fcatestoincludeatleastonewell-formed,reachableCRLURL;forcerti\fcatesthatincludedmultipleCRLURLs,weincludedthemall.Wefoundatotalof1,386uniqueCRLURLs(mostcerti\fcatesuseauni\fedCRLprovidedbythesigningCA,sothesmallnumberofCRLsisnotsurprising).WedownloadedalloftheseCRLsonMay6,2014,andfound45,268(7.2%)oftheLeafSetcerti\fcatestoberevoked.WealsocollectedtheCRLURLsforallcerti\fcatesintheCAset.Wefoundthat884(97.1%)ofthecerti\fcatesintheCASetincludedareachableCRL;theunionoftheseURLscomprised246uniquereachableURLs.Wedown-loadedtheseCRLsonMay6,2014,aswell.WefoundatotalofsevenCAcerti\fcatesthatwererevoked,whichnul-li\fedthevalidityof60certi\fcatesintheLeafSet(01%).3.4InferringHeartbleedVulnerabilityFinally,wewishtodetermineifasitewasevervulnerabletotheHeartbleedOpenSSLvulnerability(andifitcontinuedtobevulnerableattheendofthestudy).Doingsoallowsustoreasonaboutwhetherthesiteoperatorsshouldhave Figure3:FlowchartofinferenceofpreviousHeartbleedvulnerabilityofhostsbasedonourSSLscan.reissuedtheirSSLcerti\fcate(s)andrevokedtheiroldone(s).DeterminingifahostiscurrentlyvulnerabletoHeartbleedisrelativelyeasy,asonecansimplysendimproperly-formattedSSLheartbeatmessagestotestforvulnerability.However,determiningifasitewasvulnerableatsomepointinthepast|buthassinceupdatedtheirOpenSSLcode|ismorechallenging.WeobservethatonlythreeofthecommonTLSimplementationshaveeversupportedSSLHeartbeats[30]:OpenSSL[24],GnuTLS[33],andBotan[4].Thus,ifahostsupportstheSSLHeartbeatextension,weknowthatitisrunningoneofthesethreeimplementations.Botanisalibrarythatistargetedforclient-sideTLS,andweknowofnopopularwebserverthatisabletousetheBotanTLSlibrary.GnuTLShassupportfortheSSLHeartbeatextension,butitisnotenabledbydefault.TodetermineifthehostisusingGnuTLS,weobservedthatGnuTLSsup-portstheMaxFragmentLengthSSLextension[1],whichisenabledbydefault,whileOpenSSLhasneversupportedthisextension.Thus,ifweobserveahostthatsupportstheSSLHeartbeatextensionbutnottheMaxFragmentLengthex-tension,wedeclarethathosttohavebeenrunningaversionofOpenSSLthatwasvulnerable(seeFigure3foragraphicalrepresentation).TocollectthelistofsitesthatwereevervulnerabletoHeartbleed,we\frstextractedthesetofIPaddressesintheApril28,2014Rapid7scanthatwereadvertisingacerti\f-catewithaCommonNameintheAlexaTop-1Mlist.Wefound5,951,763uniqueIPaddressesinthisset.WethenconnectedtotheseIPaddresses,performedtheTLSnego-tiation,determinedtheSSLextensionsthatthehostsup-ported,anddeterminedwhetherthehostwasstillvulner-abletotheHeartbleedvulnerability.WealsodownloadedthesetofCAcerti\fcatesthatthehostadvertised,whichweusedtoaidcerti\fcatevalidation(see3.2).Limitations.Ourmethodologyforinferringahost'svul-nerabilitytoHeartbleedhasthefollowinglimitations.Be-causewedidourscanthreeweeksafterHeartbleedwasan-nounced,wemayhavebothfalsepositivesandfalseneg-ativesindetectingwhetherahostwasevervulnerabletoHeartbleed.Forfalsepositives,hoststhatwereupgradeddirectlyfromOpenSSL0.9.8toOpenSSL1.0.1g(i.e.,by-passingtheHeartbleedbug)wouldbeincorrectly\raggedasbeingvulnerableinthepast.Wesuspectthisfractionissmall,asthiswouldhavehadtohavehappenedbetweenApril7th(thereleaseofOpenSSL1.0.1g)andApril28th(ourscan),butweareunabletoestimatethefractionofhoststhiscovers.Forfalsenegatives,administratorswhorespondedtoHeartbleedbyeitherrecompilingOpenSSLwith Infact,inourscan,wedidnotdiscoveranyhoststhatwererunningGnuTLSwithSSLHeartbeatsenabled. 493 Figure1:Work\rowfromrawscansoftheIPv4addressspacetovalidcerti\fcates(andcorrespondingCRLs)fromtheAlexaTop-1Mdomains.TheRapid7dataafterFebruary5,2014didnotincludetheintermediate(CA)certi\fcates,necessitatingadditionalstepsanddatatoperformvalidation.Thescansfoundanaverageof26.9millionhostsrespond-ingtoSSLhandshakesonport443(anaverageof9.12%oftheentireIPv4addressspace).Acrossallofthescans,weobservedatotalof19,438,865uniquecerti\fcates(in-cludingallleafandCAcerti\fcates).Inthesectionsbelow,wedescribehowwe\flteredandvalidatedthisdataset;anoverviewoftheprocessisprovidedinFigure1.3.2FilteringDataTofocusonwebdestinationsthatarecommonlyaccessedbyusers,weusetheAlexaTop-1Mdomains[2]asobservedonApril28,2014.We\frstextractallleaf(non-CA)cer-ti\fcatesthatadvertiseaCommonName(CN)thatisinoneofthedomainsintheAlexalist(e.g.,wewouldincludecerti\fcatesforfacebook.comwww.facebook.com,aswellas*.dev.facebook.com).Thissetrepresents1,573,332certi\f-cates(8.1%ofallcerti\fcates).Inordertoremoveinvalidandself-signedcerti\fcatesfromthislist,wethenextractalladvertisedchainsforthesecerti\fcates(whichareonlypresentinthescansthroughFebruary5,2014).Reconstructingchains.Thelackoffullcerti\fcatechainsforthepost-February5,2014scans(see3.1)presentsachallengeatthispoint,asweneedthefullcerti\fcatechainsinordertoproperlyvalidatetheleafcerti\fcates.Toverifynewcerti\fcatesobservedintheselaterscans,weconstructalistofall4,509intermediate(CA),non-self-signedcerti\f-catesobservedinpreviousscans.Fromthesecerti\fcates,weusetwotypesofX.509\feldstohelpwithchainrecon-struction[6]:TheSubjectKeyIdenti\ferandAuthorityKeyIden-ti\feraretwo\feldsincludedinmostcerti\fcates,anduniquelyidentifythepublickeythecerti\fcaterepre-sents(SubjectKeyIdenti\fer)andthepublickeythatsignedthiscerti\fcate(AuthorityKeyIdenti\fer).Thevalueistypicallyimplementedasahashofthepublickey.TheSubjectNameandIssuerNamearetext\feldsthatrepresentthenameoftheentitythiscerti\fcaterep- Wealsoconductourowncrawl(see3.4)ofhostsadvertis-ingcerti\fcatesintheAlexalist,andincludedall4,445ad-ditionalnon-self-signedCAcerti\fcatesthatwediscoveredinthislistaswell.However,wefoundthatnoneoftheadditionalCAcerti\fcateswerenecessaryforvalidation.resents(SubjectName)andthenameofentitythatsignedthiscerti\fcate(IssuerName).Weconstructadatabaseofallfourofthese\feldsacrossall8,954CAcerti\fcates.Usingthisdatabase,weattempttoreconstructaleafcer-ti\fcate'schainbased\frstonthecerti\fcate'sAuthorityKeyIDand,failingthat,thecerti\fcate'sIssuerName.Inotherwords,givenaleafcerti\fcate,welookforaCAcerti\fcatewhoseSubjectKeyIdenti\feristhesameasourleaf'sAu-thorityKeyIdenti\fer.Shouldwenot\fndone(orshouldtheSubjectKeyIdenti\fernotbepresent),weinsteadlookforaCAcerti\fcatewhoseSubjectNameisthesameasourleaf'sIssuerName.Wethenrecursivelyapplythistechniqueuntilwecannot\fndaparentkey,wehitatrustedrootcerti\fcate,orwehitaself-signedCAcerti\fcate.Shouldwe\fndmul-tipleCAkeysthatmatchatanystage,weincludethemallaspotentialchains.Verifyingchains.Wethenunifyoursetofpotentialchains,consistingofbothhost-advertisedchains(forthedatacollectedthroughFebruary5,2014)andreconstructed-chains(forthedatacollectedpost-February5,2014).Un-fortunately,despitetheleafcerti\fcatehavingaCommonNameintheAlexalist,manyofourchainsmaynotbevalid(e.g.,expiredcerti\fcates,forgedself-signedcerti\fcates,certi\fcatessignedbyaninvalidroot,etc.).Onecommonsourceofinvalidcerti\fcatesishomerouters/DSLmodemsprovidedbyISPs(e.g.,FRITZ!Boxes)orcloud-accessiblestoragedevices(e.g.,WesternDigital'sMyCloud),bothofwhichadvertiseself-signedSSLcerti\fcatesinthefritz.netandwd2go.comdomains.Weremovedtheseinvalidchainsbyrunningopensslver-ifyoneachcerti\fcate(anditscorrespondingchain),andonlykeptthecerti\fcatesthatOpenSSLcouldverify.Be-causethescansoccurredatdierentpointsoftime,weusedthefaketimelibrary[14]tohaveOpenSSLvalidatethecerti\fcateasofthetimeofthescan.Wealsocon\fgureOpenSSLtotrustthesetofrootCAcerti\fcatesincludedbydefaultintheOSX10.9.2rootstore[20];thisincludes222uniquerootcerti\fcates.Aftervalidation,weareleftwith628,692leafcerti\fcates(40.0%ofallcerti\fcatesadvertisingAlexadomainsand3.2%ofallcerti\fcates)fromAlexaTop-1MdomainsthatwereadvertisedbysomeIPaddressandcouldbevalidated;werefertothissetofcerti\fcatesastheLeafSet.Eachofthese 492 newcerti\fcatesforarbitrarysubjects.Insuchanevent,itisimportantthattheownerrevokesthecompromisedcer-ti\fcateasquicklyaspossibletomitigatethesetofusersaectedbythecompromise.Certi\fcateRevocationLists(CRLs)arebyfarthemostcommonmeansofdisseminatingrevocations.CRLsconsistofalistof(serialnumber,timestampofrevocation,reasonforrevocation)triples,allofwhicharecollectivelysignedbytheCA.CAsincludeinthecerti\fcatesthattheyissueaURLpointingtotheCRLthatwouldcontainthatcerti\f-cate'sserialnumber,ifitweretobecomerevoked.ClientsperiodicallydownloadandcacheCRLs,andusethemwhenvalidatingacerti\fcatechain.Ostensiblytoreducethecom-municationoverheadforCAsandforusers,clientstypi-callydownloadCRLsinfrequently(ontheorderofhoursordays),potentiallyleavingmanyuserswithoutdatedin-formationonthevalidityoftheircerti\fcates.Thishasspurredseveralstudiesintomoreecientmeansofrevo-cation[12,21,23,29,36],andgeneraldoubtastotheover-allecacyofrevocations[28].Yet,CRLsremainthedefactomeansofdisseminatingrevocationinformation,andthustheyfactorheavilyinourstudy.2.3CerticateReissuesWhenasiteceasestouseacerti\fcate|forinstancebe-causetheyfoundthatthecerti\fcatehasbeencompromised,orbecausethecerti\fcateexpired|theymustuseanewcer-ti\fcateinstead.Thisprocessisreferredtoasreissuingthecerti\fcate.Todoso,thesystemadministratormustcon-tacttheCAwhosignedtheircerti\fcateandrequestanewsignature;thisistypicallydonebysendingtheCAaCerti\f-cateSigningRequest(CSR).Inthecasewheretheprivatekeymayhavebeencompromised,theadministratorshouldalsochooseanewpublic/privatekeypairtobesigned(asreissuingthecerti\fcatewiththesamekeydoesnothingtomitigatetheleakedprivatekey).Whileitseemsnaturaltoassumethatcerti\fcatesarereis-suedatpreciselythemomenttheoldcerti\fcateisrevoked,infacttoday'sPKIprotocolsmakenosuchrequirement.Asourstudywilldemonstrate,reissuescanhappenbefore,dur-ing,orafterarevocation|orevenwithoutrevokingtheoldcerti\fcateatall.Tothebestofourknowledge,wearethe\frsttocorrelaterevocationswithreissues.2.4HeartbleedHeartbleedisabuerover-readvulnerabilitydiscoveredinOpenSSL[24]thatwaspresentinversions1.0.1(releasedMarch14,2012)through1.0.1f.ThevulnerabilitystemsfromabuginOpenSSL'simplementationoftheTLSHeart-beatExtension[30].TheintendedfunctionalityofTLSHeartbeatistoallowaclienttotestasecurecommuni-cationchannelbysendinga\heartbeat"messageconsistingofastringandthe16-bitpayload_lengthofthisstring.Unfortunately,vulnerableOpenSSLversionsfailtocheckthatthepayload_lengthsuppliedbytheclientmatchesthelengthoftheprovidedstring.Thisallowsamaliciousclienttocraftaheartbeatmessagecontaininga1-bytestringand1asthepayload_length.Inthiscase,OpenSSLwillallocatea64KBblockofheapmemory,memcpy()64KBofdataintoit,startingwiththe1-bytestring,and\fnallysendthecontentsoftheentirebuertotheclient.Ineect,thisallowsthemaliciousclienttoreadupto22bytesoftheserver'sheapmemory.Notethatwhilethemaliciousclientcanchoosetheamountofmemorytoread,ithasnocontroloverthelocationofthememorythatiscopied,andthereforecannotchoosewhichmemorytoread.ByrepeatedlyexploitingHeartbleed,anattackercanextractsensitivedatafromtheserver(e.g.,SSLprivatekeys[32],userdata[13],etc.).TheseverityofHeartbleedisexacerbatedbythefactthatOpenSSLdoesnotlogheart-beatmessages,givingattackersfreereigntoundetectablyexploitHeartbleed.Giventheseverityandundetectablena-tureofmalicioususersexploitingHeartbleed,siteoperatorswereurgedtoimmediatelyupdatetheirOpenSSLsoftwareandrevokeandreissuetheircerti\fcates[5].Timeline.Heartbleedwas\frstdiscoveredbyNeelMehtafromGoogleonMarch21,2014.GoogleimmediatelywroteapatchandappliedittotheirownOpenSSLdeployments.OnApril2,researchersatFinnishsecuritycompanyCode-nomiconindependentlydiscoveredthebuganddubbeditHeartbleed.OnApril4,Akamaipatchedtheirservers.OnApril7,thebugbecamepublicandtheOpenSSLprojectre-leasedapatchedversion(1.0.1g)oftheOpenSSLlibrary[15].WhystudyHeartbleed?Thesigni\fcanceofthistime-line,andofHeartbleedingeneral,isthatitrepresentsapointintimeafterwhichallvulnerableserversshouldhavetakenthreecriticalstepstoensurethesecurityoftheirser-viceandtheirusers:theyshouldhavepatchedtheircode,revokedtheiroldcerti\fcate,andreissuedanewone.Asaresult,Heartbleedactsasasortofnaturalexperiment,al-lowingustomeasurehowcompletelyandquicklyadminis-tratorstookstepstosecuretheirkeys.Whilesucheventsare(sadly)notterriblyuncommonforgeneralsecurityvulnera-bilities[25,27,35],itremainsrarethatsuchalargefractionofthecerti\fcateecosystemmustreissueandrevoketheirSSLcerti\fcates.3.DATAANDMETHODOLOGYWenowdescribethedatasetsthatwecollectedandourmethodologyfordeterminingahost'sSSLcerti\fcate,whenitwasinuse,ifandwhenthecerti\fcatewasrevoked,andifthehostwas(orisstill)vulnerabletotheHeartbleedbug.3.1CerticateDataSourceWeobtainourcollectionofSSLcerti\fcatesfrom(roughly)weeklyscansoftheentireIPv4addressspacemadeavailablebyRapid7[26].Inthispaper,weusescanscollectedbetweenOctober30,2013andApril28,2014.Thereareatotalof28scansduringthisperiod,givinganaverageof6.7days(withaminimumof3daysandmaximumof9days)betweensuccessivescans.Thescandataincludesallcerti\fcatesadvertisedbyeachhost(includingintermediateandrootcerti\fcates)inthescansupthroughFebruary5,2014,andincludesonlythe\frstadvertisedcerti\fcatebyeachhostinthelaterscans.Forexample,supposethatahostisadvertisingachainofthreecerti\fcates:acerti\fcateforexample.com,acerti\fcateforGeoTrust,andself-signedrootcerti\fcate,whereeachcerti\fcatesignstheprevious.Theearlierscanswouldin-cludeallthreecerti\fcates,whereasthelaterscanswouldincludeonlythecerti\fcateforexample.com.Thelackoffullcerti\fcatechainsinthelaterscanspresentschallengesforvalidation,whichweaddressin3.2. 491 serversthatweresusceptibletoHeartbleedshouldhaveop-eratedundertheassumptionthananattackerhadalreadyobtainedtheirprivatekeys,andthereforeshouldhavere-vokedtheircerti\fcatesandreissuednewones[5],ideallyassoonasthevulnerabilitywaspubliclyannounced.Thescopeofthisvulnerability|itisestimatedthatupto17%ofallHTTPSwebserverswerevulnerable[22]|makesitanidealcasestudyforevaluatinglarge-scalepropertiesofSSLsecurityinthefaceofprivatekeycompromise.Whilepreviousstudieshavemeasuredhowquicklyandthoroughlyadministratorspatchsoftwarevulnerabilities[25,27,35],weare,tothebestofourknowledge,the\frsttostudyadmin-istrationofcerti\fcatesinthewakeofavulnerability.Inparticular,thispaperfocusesoncerti\fcaterevocationandreissuesinresponsetothepublicannouncementofHeart-bleed,bothintermsofhowquicklycerti\fcatesarereissuedandwhetherornotthecerti\fcatesareeventuallyrevoked.Towardthisgoal,wemakethefollowingkeycontributions.First,weconductalarge-scalemeasurementstudyofSSLcerti\fcatesinthewildusingbothdatacollectedfrompublicarchivesandthroughcustommeasurementsconductedaf-terHeartbleedwaspublicized.WefocusontheAlexaTop1Million(Top-1M)domains,forwhichwe\fndatotalof628,692validSSLcerti\fcatesfrom166,124uniquedomains.Second,weconductmeasurementstodeterminewhichserversremainvulnerabletoHeartbleedandwhichoneswerepreviouslyvulnerablebutarenowpatched.Wede-velopanewSSLimplementation\fngerprintingtechniquethatisabletodetermineifahostisrunningaversionofOpenSSLthatwasvulnerableinthepast.Wecross-validatewithdirectmeasurementsofthevulnerability(we\fndourtechniquehasafalsepositiverateofonly1.9%)andcon-ductscanstocomposealistofpreviouslyvulnerablehosts.We\fndthatthemostpopularwebsitesweremorelikelytohaveatleastonehostvulnerabletoHeartbleed,likelybecausetheyoftenhavemorehosts.Third,wedevelopnovelheuristicstoidentifywhichcer-ti\fcateshavebeenreissuedindirectresponsetoHeartbleed,asopposedtootherreasonssuchascerti\fcateexpirationorperiodicreissues.Thisallowsustounderstandhowad-ministratorsdo(ordonot)reacttopotentialprivatekeycompromise.WeobservethatwhilevulnerablesiteswithahigherAlexarankweremorelikelytoreissuetheircer-ti\fcates,thevastmajority(73.3%)ofvulnerablecerti\fcateshadnotbeenreissuedfullythreeweeksafterthevulnerabil-itywasannounced.Thesevulnerablecerti\fcatescomefrommorethan55,000uniquedomains.Fourth,weanalyzecerti\fcaterevocationbehaviorovertimeandacrosscerti\fcateowners.We\fndasharp(upto40-fold)increaseinrevocationsperdayaftertheHeart-bleedannouncement,butforthemajority(60%)ofreissuedcerti\fcates,theprevious(vulnerable)certi\fcatewasnotre-voked.ForthosethatarerevokedduetoHeartbleed,we\fndmorerevocationsincerti\fcaterevocationlists(CRLs)tohaveexplanations(reasoncodes)thanrevocationsun-relatedtoHeartbleed,andtheyappearintheCRLsmorequicklythanrevocationsnotduetoHeartbleed.Further,weexaminetheupdatefrequencyofCRLstodetermineifCerti\fcateAuthorities(CAs),theentitiesthatissuecerti\f-cates,serveasa\bottleneck"forrevocations(asitistheCAwhomaintainstheCRL).We\fndthatCRLsappeartobeupdatedfrequently,withover95%ofthembeingupdatedwithintheprevious24-hourperiod.Theremainderofthispaperisorganizedasfollows.Inthenextsection,weprovidebackgroundaboutSSL/TLS,PKIs,andtheHeartbleedvulnerability.In3wedescribeourdatasetandmethodologyforextractingvalidcerti\f-catesanddeterminingHeartbleedvulnerabilityatservers.4presentstheresultsofouranalysis,whereweidentifythebehaviorofcerti\fcatereissuingandrevocationonalargedatasetofAlexa'sTop-1Mwebsites.Wesummarizerelatedworkin5andconcludein6.2.BACKGROUNDSecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)oerapplication-layercon\fdentialityandintegrity,andarethebasisofthevastmajorityofsecureonlinecom-munication.Throughtheuseofapublickeyinfrastructure(PKI),theseprotocolsalsoallowclientstoauthenticatetheserverswithwhomtheycommunicate.Inthissection,weprovideabriefbackgroundofSSL/TLSandPKIsrelevanttoourstudy,anddescribetherecentHeartbleedvulnerability.2.1CerticatesAcerti\fcateis,atitscore,asignedattestationbindingsubjecttoapublickey.Certi\fcatesaresignedbyaCer-ti\fcateAuthority(CA),whointurnhasitsowncerti\fcate,andsoon,terminatingatself-signedrootcerti\fcates.Thereisalogicalchainofcerti\fcates|leadingfromarootcerti\f-catethroughzeroormoreintermediatecerti\fcates,toaleafcerti\fcate|whereinthecerti\fcateatlevelissignedwiththeprivatekeycorrespondingtothecerti\fcateatlevelwiththeexceptionoftheself-signedcerti\fcateattheroot.Inpractice,thetopologyofcerti\fcatescanbesomewhatcomplex,withCAssigningoneanother'scerti\fcates[17],butsuchdetailsarenotpertinenttothestudyperformedinthispaper.Whenaclientvisitsasitethatsupports,say,HTTPS,thatsitesendsitscerti\fcatechaintotheclient,whoveri\festhesignaturesfromleaftoroot.Iftheclientcansuccess-fullyvalidateeachsignature,andiftheclienttruststherootcerti\fcate|forinstancebycheckingitagainstasetofcerti\f-catespre-installedinthebrowseroroperatingsystem|thentheclientinfersthatthesubjectintheleafcerti\fcatetrulyistheownerofthepublickey.Thepredominantformatofcerti\fcatesisX.509[6],whichincludesconsiderablymoreinformationthanjustsubjectandpublickey,includingaunique(forthatCA)serialnum-ber,anexpirationdate,thekey'sciphersuite,acceptableusesofthekey,andinformationonhowtocheckwhetherthecerti\fcatehasbeenrevoked2.2CerticateRevocationInadditiontoissuingcerti\fcates,CAsarealsoresponsi-bleformakingavailablealistofcerti\fcatesithasissuedthathavebeenrevoked,afterwhichclientsshouldnolongerconsiderthosecerti\fcatesvalid.Notethat,ifaCA's(in-termediateorroot)certi\fcateisrevoked,allleafcerti\fcatessignedbythatCAwillfailtovalidate.Therearemanyreasonsasitecandecidetorevokeacer-ti\fcate.Onecriticallyimportantexampleisthatofacom-promisedcerti\fcate.Acerti\fcateiscompromisedifsomeoneotherthanitsoriginalownerlearnsthecorrespondingpri-vatekey,allowingthatpersontogeneratesignaturesandthusimpersonatetheowner.InthecaseofaCAcerti\fcate,releaseoftheprivatekeymayallowanattackertogenerate 490 AnalysisofSSLCerticateReissuesandRevocationsintheWakeofHeartbleedLiangZhangDavidChoffnesDaveLevinTudorDumitra¸sNortheasternUniversityNortheasternUniversityUniversityofMarylandUniversityofMarylandliang@ccs.neu.educhoffnes@ccs.neu.edudml@cs.umd.edutdumitra@umiacs.umd.eduAlanMisloveAaronSchulmanChristoWilsonNortheasternUniversityStanfordUniversityNortheasternUniversityamislove@ccs.neu.eduaschulm@stanford.educbw@ccs.neu.eduABSTRACTCentraltothesecureoperationofapublickeyinfrastruc-ture(PKI)istheabilitytorevokecerti\fcates.Whilemuchofusers'securityrestsonthisprocesstakingplacequickly,inpractice,revocationtypicallyrequiresahumantodecidetoreissueanewcerti\fcateandrevoketheoldone.Thus,havingaproperunderstandingofhowoftensystemsadmin-istratorsreissueandrevokecerti\fcatesiscrucialtounder-standingtheintegrityofaPKI.Unfortunately,thisistypi-callydiculttomeasure:whileitisrelativelyeasytodeter-minewhenacerti\fcateisrevoked,itisdiculttodeterminewhetherandwhenanadministratorshouldhaverevoked.Inthispaper,weusearecentwidespreadsecurityvul-nerabilityasanaturalexperiment.PubliclyannouncedinApril2014,theHeartbleedOpenSSLbug,potentially(andundetectably)revealedservers'privatekeys.AdministratorsofserversthatweresusceptibletoHeartbleedshouldhaverevokedtheircerti\fcatesandreissuednewones,ideallyassoonasthevulnerabilitywaspubliclyannounced.Usingasetofallcerti\fcatesadvertisedbytheAlexaTop1Milliondomainsoveraperiodofsixmonths,weexplorethepatternsofreissuingandrevokingcerti\fcatesinthewakeofHeartbleed.We\fndthatover73%ofvulnerablecerti\fcateshadyettobereissuedandover87%hadyettoberevokedthreeweeksafterHeartbleedwasdisclosed.Moreover,ourresultsshowadrasticdeclineinrevocationsontheweekends,evenimmediatelyfollowingtheHeartbleedannouncement.Theseresultsareanimportantstepinunderstandingthemanualprocessesonwhichusersrelyforsecure,authenti-catedcommunication.Permissiontomakedigitalorhardcopiesofallorpartofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.Copyrightsforcomponentsofthisworkownedbyothersthantheauthor(s)mustbehonored.Abstractingwithcreditispermitted.Tocopyotherwise,orrepublish,topostonserversortoredistributetolists,requirespriorspecicpermissionand/orafee.Requestpermissionsfrompermissions@acm.org.November5–7,2014,Vancouver,BC,Canada.Copyrightisheldbytheowner/author(s).PublicationrightslicensedtoACM.ACM978-1-4503-3213-2/14/11...$15.00.http://dx.doi.org/10.1145/2663716.2663758.CategoriesandSubjectDescriptorsC.2.2[Computer-CommunicationNetworks]:Net-workProtocols;C.2.3[Computer-CommunicationNet-works]:NetworkOperations;E.3[DataEncryption]:PublicKeyCryptosystems,StandardsKeywordsHeartbleed;SSL;TLS;HTTPS;X.509;Certi\fcates;Reissue;Revocation;Extendedvalidation1.INTRODUCTIONSecureSocketsLayer(SSL)andTransportLayerSecu-rity(TLS)arethede-factostandardsforsecuringInternettransactionssuchasbanking,e-mailande-commerce.Alongwithapublickeyinfrastructure(PKI),SSLprovidestrustedidentitiesviacerti\fcatechainsandprivatecommunicationviaencryption.CentraltotheseguaranteesisthatprivatekeysusedinSSLarenotcompromisedbythirdparties;ifso,certi\fcatesbasedonthoseprivatekeysmustbereissuedandrevokedtoensurethatmaliciousthirdpartiescannotmasqueradeasatrustedentity.Importantly,thePKIusesadefault-validmodelwherepotentiallycompromisedcerti\fcatesremainvaliduntiltheirexpirationdateoruntiltheyarerevoked.Revocation,how-ever,isaprocessthatrequiresmanualinterventionfromcer-ti\fcateownersandcooperationfromclientsthatusethesecerti\fcates.Asaresult,thepracticalsecurityofthePKIisdependentonthespeedwithwhichcerti\fcateownersandSSLclientsupdatetheirrevocationlists,operationsthatoc-curathumantimescales(hoursordays)insteadofcomputerones(secondsorminutes).Animportantopenquestionis:whenprivatekeysarecompromised,howlongareSSLclientsexposedtopotentialattacks?Inthispaper,weaddressthisquestionusingare-centwidespreadsecurityvulnerabilityasanaturalexper-iment.Inmid-April2014,anOpenSSLsecurityvulnera-bility,Heartbleed,madeitpossibleforattackerstoinspectservers'memorycontents,therebypotentially(andunde-tectably)revealingservers'privatekeys.Administratorsof TLSisthesuccessorofSSL,butbothusethesameX.509certi\fcates.Throughoutthepaper,wereferto\SSLclients"and\SSLcerti\fcates,"butour\fndingsapplyequallytoserversusingbothprotocols. 489